What Is a Baldr Data Stealer and How to Protect Your Passwords Against It
Baldr is the name of a new family of information-stealing malware. Its authors first introduced it to cybercriminal circles in January, and about a month later, Microsoft's security team reported that they have seen it in the wild. Bill Gates' specialists said that the stealer is 'highly obfuscated' which usually suggests that someone has put a fair amount of effort into creating something powerful. On Tuesday, Malwarebytes posted their own analysis, and after following the whole operation from the first to the last step, they were able to confirm that Baldr is indeed the work of a sophisticated hacker. Here's how it works.
Table of Contents
The sale
Baldr's authors have decided not to keep their info-stealing malware for themselves. For a fee, they are willing to share it with other cybercriminals, and perhaps in an attempt to reach a wider audience, they have opted to sell Baldr on clearnet hacking forums instead of advertising it on the dark web marketplaces.
Normally, the cheaper, lower-grade malware is traded on the forums that are accessible through Google, but although Malwarebytes' experts didn't say how much Baldr costs, they noted that from a technical perspective, it definitely stands out from the crowd. There are people responsible for organizing the sale and providing technical support after the deal. They even go as far as addressing any negative feedback on the forums' complaints boards. In other words, Baldr's operators have ensured that organizing an information harvesting campaign is not difficult at all.
The distribution
Not surprisingly the researchers have seen multiple campaigns use different distribution methods to infect users with Baldr. There are, for example, YouTube videos advertising a computer program that can generate cryptocurrency coins for free. To get it, the users need to click on a shortened URL in the description of the video, which, as you have probably guessed by now, leads them to Baldr.
There are apparently people who can fall for such a poorly constructed scam, and if you're not one of them, you can always get infected through the Fallout exploit kit which has also been seen pushing the information-stealing malware.
The heist
Although it comes with a few notable detection evasion mechanisms, there's nothing groundbreaking about Baldr's information stealing operation. Once executed, the malware first profiles the victim, collecting all sorts of details, including the version of the operating system, the system locale and language settings, the amount of free disk space, etc.
Then, it takes a look inside the AppData and Temp folders. The purpose of this is to steal stored passwords, auto-fill data, and browsing history from browsers, as well as other information stored by instant messaging applications, FTP clients, VPN solutions, and cryptocurrency wallets. Baldr doesn't just copy the files, though. Instead, it opens them and only takes the data it needs.
Once it's ready with the AppData and Temp, it moves on to the Documents and Desktop folders and works its way through every single subdirectory, scraping the information from DOC, DOCX, LOG, and TXT files.
Finally, Baldr takes a screenshot of the infected computer's desktop and sends it, along with all the other stolen data, to the Command & Control (C&C) server. The crooks that pay to use Baldr are given access to an administration panel through which they can download the stolen data and view statistics about their campaigns.
The escape
Other malicious programs have a number of mechanisms to ensure that they remain on the victim's computer for as long as possible. Baldr has no such intentions. It's advertised as a "non-resident" information stealer which means that it has no persistence mechanisms at all.
Instead of trying to stay under the radar by slowly and quietly sending the data to the C&C, it puts it all in one big ZIP file and transfers it at once. As soon as it's done, the stealer deletes itself, leaving as few traces behind as possible. The goal, as you have probably guessed, is to avoid detection by the security solutions that might be installed on the victim's computer.
As you can see, Baldr is a powerful info stealer that has more than a few tricks up its sleeve. What's more, anyone with a few spare crypto coins in their pocket can buy it and organize a campaign of their own which means that predicting the future distribution channels is practically impossible.
Ensuring that you are protected against it will not be easy because although many security products already detect it, its authors will likely update it and include additional evasion mechanisms. What you can do is make sure that at least some of your data is safe in case you end up getting hit by Baldr. As we have mentioned before, although browsers do encrypt the login credentials and the rest of the sensitive data you save with them, they don't do it very securely, and information stealers like Baldr have been taking advantage of this for a while now. If you use a dedicated password management application, this type of malware will not have access to usernames and passwords.
