Baldr is the name of a new family of information-stealing malware. Its authors first introduced it to cybercriminal circles in January, and about a month later, Microsoft’s security team reported that they have seen it in the wild. Bill Gates’ specialists said that the stealer is ‘highly obfuscated’ which usually suggests that someone has put a fair amount of effort into creating something powerful.

The sale

Baldr’s authors have decided not to keep their info-stealing malware for themselves. For a fee, they are willing to share it with other cybercriminals, and perhaps in an attempt to reach a wider audience, they have opted to sell Baldr on Clearnet hacking forums instead of advertising it on the dark web marketplaces.

Normally, the cheaper, lower-grade malware is traded on the forums that are accessible through Google, but although Malwarebytes’ experts didn’t say how much Baldr costs, they noted that from a technical perspective, it definitely stands out from the crowd. There are people responsible for organizing the sale and providing technical support after the deal. They even go as far as addressing any negative feedback on the forums’ complaints boards. In other words, Baldr’s operators have ensured that organizing an information harvesting campaign is not difficult at all.

The distribution

Not surprisingly the researchers have seen multiple campaigns use different distribution methods to infect users with Baldr. There are, for example, YouTube videos advertising a computer program that can generate cryptocurrency coins for free. To get it, the users need to click on a shortened URL in the description of the video, which, as you have probably guessed by now, leads them to Baldr.

There are apparently people who can fall for such a poorly constructed scam, and if you’re not one of them, you can always get infected through the Fallout exploit kit which has also been seen pushing the information-stealing malware.

The heist

Although it comes with a few notable detection evasion mechanisms, there’s nothing groundbreaking about Baldr’s information stealing operation. Once executed, the malware first profiles the victim, collecting all sorts of details, including the version of the operating system, the system locale and language settings, the amount of free disk space, etc.

Then, it takes a look inside the AppData and Temp folders. The purpose of this is to steal stored passwords, auto-fill data, and browsing history from browsers, as well as other information stored by instant messaging applications, FTP clients, VPN solutions, and cryptocurrency wallets. Baldr doesn’t just copy the files, though. Instead, it opens them and only takes the data it needs.

Once it’s ready with the AppData and Temp, it moves on to the Documents and Desktop folders and works its way through every single subdirectory, scraping the information from DOC, DOCX, LOG, and TXT files.

Finally, Baldr takes a screenshot of the infected computer’s desktop and sends it, along with all the other stolen data, to the Command & Control (C&C) server. The crooks that pay to use Baldr are given access to an administration panel through which they can download the stolen data and view statistics about their campaigns.

The escape

Other malicious programs have a number of mechanisms to ensure that they remain on the victim’s computer for as long as possible. Baldr has no such intentions. It’s advertised as a “non-resident” information stealer which means that it has no persistence mechanisms at all.

Instead of trying to stay under the radar by slowly and quietly sending the data to the C&C, it puts it all in one big ZIP file and transfers it at once. As soon as it’s done, the stealer deletes itself, leaving as few traces behind as possible. The goal, as you have probably guessed, is to avoid detection by the security solutions that might be installed on the victim’s computer.

As you can see, Baldr is a powerful info stealer that has more than a few tricks up its sleeve. What’s more, anyone with a few spare crypto coins in their pocket can buy it and organize a campaign of their own which means that predicting the future distribution channels is practically impossible.

Ensuring that you are protected against it will not be easy because although many security products already detect it, its authors will likely update it and include additional evasion mechanisms. What you can do is make sure that at least some of your data is safe in case you end up getting hit by Baldr. As we have mentioned before, although browsers do encrypt the login credentials and the rest of the sensitive data you save with them, they don’t do it very securely, and information stealers like Baldr have been taking advantage of this for a while now. If you use a dedicated password management application, this type of malware will not have access to usernames and passwords.

  • Baldr was used to target PC gamers living around the world; Indonesia (21%), the United States (10.52%), Brazil (14.14%), Russia (13.68%), India (8.77%) and Germany (5.43%) were the countries most affected
  • It was named Baldr as security researchers believe it to be the handiwork of LordOdin, a hacker active on the Russian forum
  • Security researchers at cybersecurity firm SophosLabs have released a detailed report on Baldr, a new type of malware that first surfaced in January on Deep Web and then went out of circulation in June 2019 after a falling out between its creators and distributors. The malware was used to target PC gamers across the world. According to Sophos’ report, Indonesia (21%), the United States (10.52%), Brazil (14.14%), Russia (13.68%), India (8.77%) and Germany (5.43%) were among those that were most affected.
  • SophosLabs points out that usually, malware like Baldr are sold on DarkWeb (where hardcore cybercriminals lurk), but the authors behind the malware wanted to make it available to larger group of cyber criminals and so released it on Deep Web, that part of the World Wide Web which is not indexed by search engines and which lies between Surface Web and Dark Web.
  • Even though the malware is no longer in circulation on Deep Web, the researchers believe cybercriminals who have access to the malware can still rewrite it and use it to carry out fresh attacks under a different name. “Even though Baldr is currently off the deep market, it can still be used by cybercriminals who had previously purchased it, and is still a potential threat,” warned Albert Zsigovits, a threat researcher at SophosLabs, in a press statement.
  • The malware has been named Baldr as security researchers believe it to be the handiwork of LordOdin, a hacker active on Russian forums. Its circulation was handled by Agri_Man, a renowned malware distributor on Russian forums. Researchers at Malwarebytes Labs, another cybersecurity firm, point out that Baldr is a sophisticated malware that has been written skilfully for a long-running campaign, which is what makes it hard to detect.
  • Baldr scans through all AppData and temp folders on the victim’s computer, looking for sensitive data such as saved passwords, browser history, cached data, configuration files, cookies from a wide range of apps. It first sends a screengrab of the list of all the sensitive files and then the actual files to the hacker.
  • Baldr was used to target PC gamers living around the world; Indonesia (21%), the United States (10.52%), Brazil (14.14%), Russia (13.68%), India (8.77%) and Germany (5.43%) were the countries most affected
  • It was named Baldr as security researchers believe it to be the handiwork of LordOdin, a hacker active on Russian for
  • Security researchers at cybersecurity firm SophosLabs have released a detailed report on Baldr, a new type of malware that first surfaced in January on Deep Web and then went out of circulation in June 2019 after a falling out between its creators and distributors. The malware was used to target PC gamers across the world. According to Sophos’ report, Indonesia (21%), the United States (10.52%), Brazil (14.14%), Russia (13.68%), India (8.77%) and Germany (5.43%) were among those that were most affected.
  • SophosLabs points out that usually, malware like Baldr are sold on DarkWeb (where hardcore cybercriminals lurk), but the authors behind the malware wanted to make it available to larger group of cyber criminals and so released it on Deep Web, that part of the World Wide Web which is not indexed by search engines and which lies between Surface Web and Dark Web.
  • Even though the malware is no longer in circulation on Deep Web, the researchers believe cybercriminals who have access to the malware can still rewrite it and use it to carry out fresh attacks under a different name. “Even though Baldr is currently off the deep market, it can still be used by cybercriminals who had previously purchased it, and is still a potential threat,” warned Albert Zsigovits, a threat researcher at SophosLabs, in a press statement.
  • The malware has been named Baldr as security researchers believe it to be the handiwork of LordOdin, a hacker active on Russian forums. Its circulation was handled by Agri_Man, a renowned malware distributor on Russian forums. Researchers at Malwarebytes Labs, another cybersecurity firm, point out that Baldr is a sophisticated malware that has been written skilfully for the long-running campaign, which is what makes it hard to detect.
  • Baldr scans through all AppData and temp folders on the victim’s computer, looking for sensitive data such as saved passwords, browser history, cached data, configuration files, cookies from a wide range of apps. It first sends a screengrab of the list of all the sensitive files and then the actual files to the hacker.