Baldr stealer malware has wide capabiliteis, seeing significant uptake

News by Robert Abel

Stealer malware dubbed Baldr takes cybercrime market by storm with its capabilities including user profiling, sensitive data exfiltration, shotgun file grabbing, screencapping, & network exfiltration.

A new stealer malware dubbed Baldr has been taking the cybercrime market by storm with its capabilities including user profiling, sensitive data exfiltration, shotgun file grabbing, screencapping, and network exfiltration.

Malwarebytes researchers have been monitoring the malware for the past few months and said it is the work of three threat actors: Agressor handled distribution, Overdot sales and promotion, and LordOdin development, according to a 9 April blog post.

Stealers like this are also popular among cybercriminals than more specialised banking trojans and because their high level functionality is relatively straight forward, providing a small set of malicious abilities.

"This type of malware is popular among criminals and covers a greater surface than more specialised bankers," researchers said in the post. "On top of capturing browser history, stored passwords, and cookies, stealers will also look for files that may contain valuable data."

Researchers emphasised the stealer is different from a normal banking trojan. While many banking Trojans wait for the victim to log into their bank’s website, stealers typically operate in grab-and-go mode so upon infection, the malware will collect all the data it needs and exfiltrate it right away.

Stealers also have no persistence mechanisms so unless the malware is detected at the time of attack, victims often don’t even know they have been compromised.

Baldr first appeared in January 2019 and quickly generated positive reviews on most of the popular clearnet Russian hacking forums due to its reputation for reliability and relatively good communication team behind it, researchers said. Researchers have already noted a few different versions of the malware indicating that it has short development cycles with the latest version 2.2 announced on March 20.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop