Malware developers in underground hacking forums are reportedly pushing a new malware called Baldr.
Popular mostly in Russian forums, Baldr received acclamation at the time of inception in January.
Like other malware, it steals information through phishing and rapid attacks.
However, unlike other malicious software, the new stealer does not spread over networks of infected computers, nor does it embed itself on a compromised system, as is the case for Trojans used for espionage.
Baldr is a grab-and-go malware that is not designed to infiltrate networks over lengthy periods.
It is designed to steal passwords, sensitive files, browser history and cookies, then it leaves the infected user device.
Experts at cybersecurity firm Malwarebytes report that Baldr is likely not going away any time soon.
How It Works
Since its inception late last year, researchers have indicated that Baldr’s developers are tweaking it progressively.
Even though it is grab-and-go malware, Baldr features high-level functionality that is by no means just a script for swindling quick cash.
Malwarebytes reports that it is able to obtain user profile data such as browser information. It is also capable of establishing the existence of VPNs and cryptocurrency wallets.
The malware also steals files and folders it finds appealing. The data is then transferred to a command-and-control (C2) server.
The transfer to the C2 server is made in bulk transfers rather than smaller and stealthier streams. Because of the big streams of data, the transfers are detectable.
Unless realized at the time of an attack, it is impossible to impede damages that have already been initiated.
On the surface, this appears to be a lapse from the developers.
Most attackers often try to obscure data breaches in order to remain undetectable.
With Baldr however, their disregard for stealth could possibly result in the malware’s untimely downfall.
Nonetheless, researchers still insist that the source code of the new stealer software is not easy to analyze.
Even though written in C++, experts have been unable to completely reverse engineer its code.
The biggest challenge faced is breaking the utility classes and wrapper functions that protect the code.
The malware features several other barriers that make unpacking it time-consuming.
The bulk attack approach by the malware developers does not look like a misstep after all. There are enough protections through various unique functions and utilities.
Three Actors Behind the Malware
Experts at Malwarebytes report that Baldr operates under three different actors: Agressor, LordOdin and Overdot.
These three actors perform actions that range from sales and promotion to development and affiliation, with LordOdin and Overdot being the main perpetrators.
Overdot, as the promotion actor, handles advertisements on message boards and responds to concerns raised by customers via Jabber.
Recently, Overdot clarified claims by customers about the existence of an automated installation bot. He refuted the claims saying that the bots are not linked to them.
Lordin, otherwise known as BaldrOdin, keeps a low profile even though he monitors and likes posts associated with Baldr.
His main aim is to portray the parent software as a unique entity.
He consequently distances Baldr from other products like Azorult, GandCrab and Dridex.
Agri_MAN is the last of the actors. Also known as Agressor, this third player is reputable for his dominance in Russian hacking forums that go back to as late as 2011.
Judging by the activities, Agressor seems only to have an affiliation with Baldr. There is very limited evidence to suggest that he is part of the development team.
There are rumors suggesting that the developers of Baldr and another malware called Arkei are partners.
This kind of contact and collaboration between cybercriminals is probably the reason why they develop tough malware.
Examining Baldr’s Functions
According to the analysis by Malwarebytes researchers, Baldr’s functionality is quite simple. Complication only arises during the implementation of its functionality.
Its authors definitely invested a lot of time in creating it. Even though some experts were able to study its payload, they still could not analyze its source code effectively.
During the early stages of a breach, the malware obtains data such as computer name, computer type, OS and user accounts.
Afterward, the stealer software seeks application data from the directories as well as doc and txt files. Filenames and content are preserved in various arrays.
In a signature move, the malware takes screenshots before transferring the data to the C2.
Researchers art Malwarebytes describe Baldr as a “solid” stealer.
They anticipate the malicious software is currently active in various underground forums where the developers are aiming to increase its potency and prominence.
The authors continually change the versions within months to make it an ardent tool in vicious future campaigns.
The past few months have featured numerous activities associated with new stealer software.
Hackers are developing new malware by the day.
The level of sophistication featured in the new malware points to high-level experience by the cybercriminals.
Every new malware has featured a signature move that makes it unique.
For Baldr, the bulk grab-and-go characteristic makes it stand out.
Different from most banking Trojans that wait for the victim to enter login credentials on the bank’s website, Baldr gathers the information it needs and exfiltrates immediately.
Even as Malwarebytes suggests that there is nothing groundbreaking about Baldr, it is no doubt a highly sophisticated malware.
From their analysis, infiltration by the malware can be broken down in five steps: user profiling, sensitive data exfiltration, ShotGun file grabbing, ScreenCap and network exfiltration.
The developers of Baldr have what it takes to rival competitors.
However, with the high demand for stealer products in various darknet forums, there seems to be a sufficient market for all players.