Since February, a number of ne’er-do-well Apex Legends and Counter-Strike: Global Offensive players hoping to download cheats have in fact been infecting their computers with credential-stealing malware, security firm Sophos discovered.
First-person shooter fans hoping to get an edge over their opponents had their personal and financial information siphoned off and sold for months, according to a Sophos report published last week. The malware, named Baldr by its creator, efficiently extracted sensitive data from infected users: credit card information, login credentials for shopping services like Amazon and Paypal, credentials for Battle.net, Steam and Epic Games, or identity information.
Its job, Sophos says, was “scrape and steal any credentials, cookies, or cached data of resellable value in a matter of seconds.” Baldr was buried inside of a bunch of cheats with names like “CSGO Aimbot+Wallhack” and “Apex Legends New Cheat 0.2.1,” the security firm researcher said.
Once they had acquired the data, Baldr operators could sell it on darkweb marketplaces. “What caught our eye was Baldr’s ability to quickly steal identities and seamlessly exfiltrate victims’ credentials. Baldr was incredibly effective at bursting in, grabbing everything and rushing out again,” said Sophos threat researcher Albert Zsigovits over email.
Zsigovits says he’s been tracking 500 to 600 instances of the malware internationally, with the majority of cases located in Indonesia, Brazil, Russia and the United States. Advertisements for the malware-infected cheating software appeared primarily on YouTube in video descriptions advertising the cheats. Its proponents also advertised it in Twitch chats and on Discord servers.
The malware’s popularity peaked around May. But although it’s not getting sold as much on dark web forums, Zsigovits said, it “continues to wreak havoc. The cybercriminals who bought Baldr before it disappeared can still use the malware, and they are.”