A new stealer malware dubbed Baldr has been taking the cybercrime market by storm with its capabilities including user profiling, sensitive data exfiltration, shotgun file grabbing, screencapping, and network exfiltration.
Malwarebytes researchers have been monitoring the malware for the past few months and said it is the work of three threat actors: Agressor handled distribution, Overdot sales and promotion, and LordOdin development, according to a 9 April blog post.
Stealers like this are also popular among cybercriminals than more specialised banking trojans and because their high level functionality is relatively straight forward, providing a small set of malicious abilities.
"This type of malware is popular among criminals and covers a greater surface than more specialised bankers," researchers said in the post. "On top of capturing browser history, stored passwords, and cookies, stealers will also look for files that may contain valuable data."
Researchers emphasised the stealer is different from a normal banking trojan. While many banking Trojans wait for the victim to log into their bank’s website, stealers typically operate in grab-and-go mode so upon infection, the malware will collect all the data it needs and exfiltrate it right away.
Stealers also have no persistence mechanisms so unless the malware is detected at the time of attack, victims often don’t even know they have been compromised.
Baldr first appeared in January 2019 and quickly generated positive reviews on most of the popular clearnet Russian hacking forums due to its reputation for reliability and relatively good communication team behind it, researchers said. Researchers have already noted a few different versions of the malware indicating that it has short development cycles with the latest version 2.2 announced on March 20.
This article was originally published on SC Media US.