Baldr stealer (also known as Trojan: MSIL/Darbl.A) is a malicious program that steals data. Cybercriminals can purchase this tool from hacking forums to generate revenue by misusing recorded (stolen) information. Generally, they present this program as a tool that can be used for a number of purposes. At the time of research, it was promoted through CS: GO cheat videos as a program that supposedly allows users to cheat when playing this particular game. In this way, cybercriminals trick people into downloading and installing this rogue program.

Baldr is likely the product of three threat actors: Agressor for distribution, Overdot for sales and promotion, and LordOdin for development. Overdot, which was previously linked to the Arkei stealer, markets Baldr on message boards, helps customers via Jabber, and addresses complaints in boards’ reputational systems. Baldr has proved popular on Russian hacking forums, researchers point out. and has a reputation for decent communication with authors.

Since it was first detected, Baldr has evolved from version 1 to version 2.2, the latest edition analyzed by the Malwarebytes team. Researchers collected a few different versions of Baldr, which has short development cycles and was most recently updated on March 20.

Baldr’s main functionality can be described in five steps: It first collects a list of user profile data, from the user account name to OS type. After that, it goes through files and folders in key locations on the machine, keeping an eye out for sensitive info. Baldr then conducts “ShotGun” file grabbing, grabbing the contents of .doc, .docx, .log, and .txt files it finds. The last step in data collection is to grab a screenshot of the user’s computer. Finally, it exfiltrates the package.

Baldr can look for regular SQL databases as well as custom formats and taps into the following locations and application data folders to steal information:

AppData\Local\Google\Chrome\User Data\Default
AppData\Local\Google\Chrome\User Data\Default\Login Data
AppData\Local\Google\Chrome\User Data\Default\Cookies
AppData\Local\Google\Chrome\User Data\Default\Web Data
AppData\Local\Google\Chrome\User Data\Default\History
AppData\Roaming\Exodus\exodus.wallet
AppData\Roaming\Ethereum\keystore
AppData\Local\ProtonVPN
Wallets\Jaxx
Liberty\
NordVPN\

Baldr is non-persistent and does not have any spreading mechanism, so it targets every victim individually, without trying a re-infection.

Customers of the malware manage all the information via an administration panel, where they get details about the harvest, operating systems infected, and the geographical location.

For any Cyber Security information contact help@theweborion.com