Baldr finally enters the market. Are you aware?

A new malware has recently entered into the market known as Baldr which is linked to Russian Black Hat Hackers.

The MalwareBytes security experts published a report about Baldr. It was first spotted in January 2019.

This type of malware is hard to detect. Some malware can be found at the time of the attack. This is popular amongst cyber thefts and controls a larger surface than more specialized bankers. Aside collecting browsing history, stored passwords, cookies, the stealers searches for files that contains valuable information. It also detects wallets, VPNs, Telegram messenger. Baldr spreads via .doc, .docx, log, text file version and to transfer to its C2 (Command and Control) server.

This malware is the work of three threat actors: Agressor for distribution, Overdot for sales and promotion, and LordOdin for development.

MalwareBytes states that it functions in five steps:

Step 1: User profiling
Baldr starts off by gathering a list of user profiling data. Everything from the user account name to disk space and OS type is enumerated for exfiltration. Baldr starts off by gathering a list of user profiling data. Everything from the user account name to disk space and OS type is enumerated for ex filtration.

Step 2: Sensitive data exfiltration
Baldr begins cycling through all files and folders within key locations of the victim’s computer. Specifically, it looks in the user AppData and temp folders for information related to sensitive data.

Many of these data files range from simple sqlite databases to other types of custom formats. The authors have a detailed knowledge of these target formats, as only the key data from these files is extracted and loaded into a series of arrays. After all the targeted data has been parsed and prepared, the malware continues onto its next functionality set.

Step 3: ShotGun file grabbing
DOC, DOCX, LOG, and TXT files are the targets in this stage. Baldr begins in the Documents and Desktop directories and recursively iterates all subdirectories. When it comes across a file with any of the above extensions, it simply grabs the entire file’s contents.

Step 4: ScreenCap
In this last data-gathering step, Baldr gives the controller the option of grabbing a screenshot of the user’s computer.

Step 5: Network exfiltration
After all of this data has been loaded into organized and categorized arrays/lists, Baldr flattens the arrays and prepares them for sending through the network.

One interesting note is that there is no attempt to make the data transfer more inconspicuous. In our analysis machine, we purposely provided an extreme number of files for Baldr to grab, wondering if the malware would slowly exfiltrate this large amount of data, or if it would just blast it back to the C2.

How to Protect?

  • Do not open unknown attachments in Email.
  • Always do proper malware scan of downloaded files.
  • Use Internet Security instead of Antivirus especially when your activities are over 50% online.