Aug 14, 2019 14:00:00

Hundreds of FPS players such as Apex Legends are infected with malware via cheat tools and their personal information is stolen

by

Sean Do

Malware that security company Sophos downloads cheat tools for popular first-person shooters such as Apex Legends and Counter-Strike: Global Offensive (CSGO) since February 2019. Reported to be infected.

Microsoft Word-Baldr vs The World-TLP Amber.docx
(PDF) https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/baldr-vs-the-world.pdf

Hundreds Of Players Trying To Cheat At Apex Legends And Counter-Strike Get Their Private Data Stolen
https://kotaku.com/hundreds-of-players-trying-to-cheat-at-apex-legends-and-1837206180

Users who use cheat tools such as correcting their aim to win an opponent may be infected with malware named “Baldr” that steals personal and financial information. Baldr steals personal information, credit card information, login information for shopping services such as Amazon and Paypal, and login information for services such as Battle.net/Steam/Epic Game from the infected user's PC.

by

Michael Geiger

The figure below shows the domain of the service that Baldr steals login information. The larger the text size, the more users have stolen their login information. There are game-related services such as mojang.com, epicgames.com, and twitch.tv, but there are also major IT services such as google.com and facebook.com, and shopping services such as amazon.com, ebay.com, and paypal.com. I understand that.

According to Sophos, 'Baldr steals credentials, cookies, and cacheable data that can be resold in a matter of seconds.'

And the information that Baldr stealed from the user's PC seems to have been sold on the dark web. Sophos security researcher Albert Zsigovits told Kotaku, an overseas game media, 'What we noticed is that we quickly steal sensitive information and let the victim's credentials flow seamlessly onto the web. Baldr ’s ability. ”

According to Zsigovits, Sophos tracks around 500-600 Baldr

instances around the world. Most of the detected instances are in Indonesia, Brazil, Russia, and the United States. The figure below estimates the infection rate in each country based on the number of PCs infected with Baldr detected by Sophos. Indonesia is the most infected, followed by Brazil and Russia, followed by the United States. In addition, it is speculated that there are PCs infected with Baldr in South America, Europe, Asia and Africa.

The following pie chart shows the percentage of PCs infected with Baldr detected by Sophos. Indonesia (21.85%), Brazil (14.14%), Russia (13.68%), America (10.52%), India (8.77%), Germany (5.43%), France (3.89%), Vietnam (3.83%) Canada (3.62%), Netherlands (3.59%) and Australia (1.43%).

In addition, it seems that the malware Baldr was included in the cheat tool “CSGO Aimbot + Wallhack” for CSGO and the cheat tool “Apex Legends New Cheat 0.2.1” for Apex Legends. It has been confirmed that these cheat tools are linked mainly from the description column of videos that promote cheat activities on YouTube. For example, a movie released on YouTube at the time of article creation distributes a cheat tool from the comment section of the video, and the comment `` Thank you '' of the user who downloaded the cheat and cheat tool is displayed in the reply It is.

In addition, it is confirmed that some tool users are advertising to other users on services such as Twitch and Discord.

It seems that Baldr's activities peaked in May 2019, but their credentials are not sold well on the dark web. But Baldr itself is still breaching data, 'Zygovits said,' cybercriminals who purchased this malware before Baldr disappeared can still use it.