A new form of information-stealing malware called Baldr believed to be the work of experienced hackers is making the rounds in Russian underground forums.
On Tuesday, researchers William Tsing, Vasilios Hioureas, and Jérôme Segura from Malwarebytes
published a report on the new malware strain, found to be newly-introduced to interested cybercriminals.
Information stealers such as Baldr have proven popular in rapid-fire attacks and phishing, given their ability to capture information including machine data, browser history, some stored passwords -- depending on how and where they are buried -- and valuable files.
Baldr is no different. The malware has "high-level functionality" and the team says is by no means a script kiddie effort thrown together for quick cash.
Instead, Baldr is able to gather user profile data including browser information, as well as detecting the existence of cryptocurrency wallets, VPNs, Telegram, and Jabber. The malware then cycles through the files and folders of key PC locations in order to extract information from important file types.
The data theft then begins, shotgun-style, with .DOC, .DOCX, .LOG and .TXT files of particular interest to the malware's operators. Baldr is able to grab an entire file's contents for transfer to its command-and-control (C2) server.
It is interesting to note that the malware's developers have not tried to obfuscate the data transfer in any way -- at least, at present. Rather than send the information across slowly in a trickle less likely to be noticed, there is simply one large, bulk transfer.
Baldr's operators can also grab screenshots of the victim system should they wish and the malware also comes with a panel that allows customers to view infection statistics and retrieve stolen data.
After completing the data theft, the malware does not maintain any form of persistence. There is also no propagating method included so Baldr is not currently able to spread itself across corporate or networked environments.
"Unlike many banking Trojans that wait for the victim to log in to their bank's website, stealers typically operate in a grab and go mode," the researchers say. "This means that upon infection the malware will collect all the data it needs and exfiltrate it right away. Because often such stealers are non-resident (no persistence mechanism), unless they are detected at the time of the attack, victims will be none-the-wiser that they have been compromised."
