Baldr vs the World

Gamers have found themselves in the crosshairs of criminals for as long as it has been possible to monetize the theft of game credentials. Since the beginning of 2019, SophosLabs has been tracking the activity of a malware family we’re calling Baldr that, initially at least, targeted gamers through the use of misleading online videos.

These videos present the malware as a tool to gain an unfair advantage in a number of different online games, but the real purpose of Baldr is to enable both the purchasers and its creator to engage in identity theft.

We first observed the Trojan being advertised for sale on Russian cybercrime-related forums at the end of January, 2019. By the following month, we saw its distribution begin to increase, along with the price the malware authors were charging to criminals. As its distribution increases, so do the variety of methods that Baldr customers use to infect customers, including the use of maliciously crafted .ace archives and Office documents, which are either hosted for download or emailed to victims.

We consider Baldr an up-and-coming password stealer as we’ve observed its evolution through at least four major revisions over the past seven months. In that time, the malware’s creator has added a raft of new features that put it in direct competition from better-known families. There has also been a bit of drama in the criminal underground, where the main developer and the principal distributor seem to have had a (somewhat public) falling out, with the distributor dropping Baldr as a product for sale. But the malware has not ceased functioning, and we expect it to re-emerge, possibly with a new name.

This paper provides a deep technical synopsis of Baldr malware, including its command-andcontrol administrative web panel, which several Baldr-using criminals carelessly left unprotected and downloadable from open directories. We’ve also come across what appear to be credential dumps generated by Baldr in files submitted to public repositories like Virustotal. While we will refrain from publishing victim details, we’ve anonymized and aggregated some of this data to illustrate the types of data most commonly stolen by operators of Baldr.

We also discuss some of the unique characteristics of Baldr’s killchain (implemented not by the malware’s creator but by its criminal customer base) and its apparent relationship to other malware families, some of which Baldr itself delivers to victim machines as a malware distribution network.