Baldr Credential-Stealing Malware Targets Gamers (Aug 8, 2019)
Sophos has published a paper covering a trojan called “Baldr” and how it is being used to target the gaming community. The malware package is inadvertently installed by users that believe the application can be used to gain an advantage in a number of online games, when in reality, the application's primary purpose is to acquire credentials the victim might use while the malware was active. The trojan pulls credentials from browsers, FTP clients, instant messaging clients, and some VPN configuration files, and then sends information back to the command and control server. Distribution methods to potential victims include data compression archive files (such as .ACE archives) and Office documents, either hosted on malicious sites or spammed in emails. The malware package was first seen for sale in Russian cybercrime-related forums near the end of January this year, and victims of Baldr include users in Russia, the United States, Singapore, Brazil, India, and Germany.
Recommendation: All individuals who play online games, or those with children who play online games, should be aware of the risks posed by visiting less reputable online locations, and opening attachments within suspicious emails.Parental and security controls should be in place to prevent malicious activity from these sort of threats. In a case such as this one, carefully researching applications prior to installing would greatly reduce the chances of infection. Additionally, anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.