Baldr – A New Malware Enters into the Market
Baldr has been linked in Russian Black Hat Hackers.
MalwareBytes security researchers published a report about the new Malware called Baldr. It was first spotted in January 2019.
It is typical malware that hard to detect. Some malware can be detected at the time of the cyber attack. But it is popular amongst cyber criminals and covers a greater surface than more specialized bankers. On top of capturing browser history, stored passwords, and cookies, stealers will also look for files that may contain your valuable data.
Also, it can detect Wallets, VPNs, Telegram messenger. Baldr is able to spread through .Doc, .Docx, Log, Txt file version and to transfer to its C2 (Command and Control) server.
Baldr is likely the work of three threat actors: Agressor for distribution, Overdot for sales and promotion, and LordOdin for development.
According to MalwareBytes it functioning into five steps.
Step 1: User profiling
Baldr starts off by gathering a list of user profiling data. Everything from the user account name to disk space and OS type is enumerated for exfiltration.
Step 2: Sensitive data exfiltration
Next, Baldr begins cycling through all files and folders within key locations of the victim computer. Specifically, it looks in the user AppData and temp folders for information related to sensitive data.
Many of these data files range from simple sqlite databases to other types of custom formats. The authors have a detailed knowledge of these target formats, as only the key data from these files is extracted and loaded into a series of arrays. After all the targeted data has been parsed and prepared, the malware continues onto its next functionality set.
Step 3: ShotGun file grabbing
DOC, DOCX, LOG, and TXT files are the targets in this stage. Baldr begins in the Documents and Desktop directories and recursively iterates all subdirectories. When it comes across a file with any of the above extensions, it simply grabs the entire file’s contents.
Step 4: ScreenCap
In this last data-gathering step, Baldr gives the controller the option of grabbing a screenshot of the user’s computer.
Step 5: Network exfiltration
After all of this data has been loaded into organized and categorized arrays/lists, Baldr flattens the arrays and prepares them for sending through the network.
One interesting note is that there is no attempt to make the data transfer more inconspicuous. In our analysis machine, we purposely provided an extreme number of files for Baldr to grab, wondering if the malware would slowly exfiltrate this large amount of data, or if it would just blast it back to the C2.
How to Protect?
- Do not open unknown attachement in Email
- Always do scan your downloaded file.
- Use Internet Security instead of Antivirus