new research from SophosLabs reminds us, where people go, human interest and human failings go too. The research in question concerns Baldr, an up-and-comer in the world of illegal software that SophosLabs’ has been tracking closely since January.
In simple terms, Baldr is a password stealer, although in reality it’s more of an indiscriminate malware thief with an interest in anything it can carry away. It would steal your watch if it could. We know this, thanks to our story’s first bunch of humans. The venerable researchers of SophosLabs whose job it is to roll up their sleeves and figure out what malware does and how to stop it, after their algorithms have taken things as far as they can. In the case of Baldr, the sleeve rolling started early. In an attempt to frustrate malware analysts, it hides its secrets under layers of obfuscation, so the SophosLabs boffins had to flay it by hand. Baldr employs an excessive number obfuscation layers (at last count, 9) that thwarts static code analysis. Can we hack it? (Yes we can!) What their analysis reveals is a rapacious voyeur.
If you’re unlucky enough to get it on your system, the malware will grab anything that looks like it might contain useful or valuable data. It begins by creating a profile of your system: grabbing a boat load of information about the computer it’s on such as the CPU model, operating system, system language, screen resolution, installed programs, hat size and favourite colour (OK, it doesn’t capture the last two but it would if it could). Then it ransacks your web browsers, relieving them of saved credentials, autocomplete information, credit card information, cookies, the domains you’ve visited and your browsing history. After that it hoovers up any FTP logins it finds, and then it steals credentials from your computer’s instant messaging clients and VPNs. If you’ve got any cryptocurrency lying around, it knows how to plunder it from a range of different wallets. And then it takes a screenshot of your desktop, because – why not? It stuffs all the data into an encrypted file and POSTs it via HTTP to a C2 (Command and Control) server before deleting itself in an effort to cover its tracks. As if that wasn’t all bad enough, Baldr can also be used to download other malware from its C2 server.
