Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/9/2019
03:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Meet Baldr: The Inside Scoop on a New Stealer

Baldr first appeared in January and has since evolved to version 2.2 as attackers aim to build a long-lasting threat.

Baldr is a fairly new stealer on the threat landscape, though researchers say its rapid development signifies authors are preparing to cultivate a long-term problem.

The team at Malwarebytes Labs has been monitoring the heightened growth and development of stealers for the past few months; it reports Baldr first appeared in January. Analysis indicates Baldr's developers are investing time and effort into their product, which, like many stealers, is becoming more popular as cybercriminals hunt for easy means to snag valuable data.

Stealers are sneaky, and victims rarely know they're hit unless it's detected at delivery. Upon infection, stealers typically scan the target machine and grab what they need – browser history, screenshots, passwords, cookies – in as little as a minute, explains Malwarebytes threat intelligence lead Jerome Segura. They may also seek out files containing sensitive information.

Unlike banking Trojans, stealers are nonresident, he continues. "They're not going to stay on the computer for long periods of time," Segura says. Once the stealer has what its author is looking for, it zips the files, uploads them to the attacker's server, and vanishes. Victims who scan for a stealer after its disappearance will likely never know it was there, he points out. 

Not A Script Kiddie's Work
Baldr is likely the product of three threat actors: Agressor for distribution, Overdot for sales and promotion, and LordOdin for development. Overdot, which was previously linked to the Arkei stealer, markets Baldr on message boards, helps customers via Jabber, and addresses complaints in boards' reputational systems. Baldr has proved popular on Russian hacking forums, researchers point out, and has a reputation for decent communication with authors.

Since it was first detected, Baldr has evolved from version 1 to version 2.2, the latest edition analyzed by the Malwarebytes team. Researchers collected a few different versions of Baldr, which has short development cycles and was most recently updated on March 20.

Baldr's main functionality can be described in five steps: It first collects a list of user profile data, from the user account name to OS type. After that, it goes through files and folders in key locations on the machine, keeping an eye out for sensitive info. Baldr then conducts "ShotGun" file grabbing, grabbing the contents of .doc, .docx, .log, and .txt files it finds. The last step in data collection is to grab a screenshot of the user's computer. Finally, it exfiltrates the package.

While there's nothing especially groundbreaking about how Baldr works on target machines, it's worth noting the developers seem invested in crafting this threat for long-term success. "It is not the work of a script kiddie," as researchers warn in a blog post on their analysis.

When it was first rolled out, Baldr "had what you'd expect in terms of capabilities," Segura says. As its customer base grew, authors introduced bug fixes and improved the back end. Baldr sold for $100, which included the stealer along with a control panel to track the number of victims, download stolen data, and view stats like victims' location and operating systems they used. He anticipates Baldr's authors will continue to add new features and bug fixes in future versions.

Stealer Upgrade: Targeting YouTube, Bitcoin
Attackers have several means of targeting victims with Baldr; one of the primary vectors is the use of malicious applications masked as hacking tools. Researchers found YouTube videos offering fake programs to create free Bitcoin, which turned out to be Baldr stealers in disguise.

"There is no such thing as free Bitcoin, but some people will still look for them," Segura says. Plenty of YouTube videos promise get-rich-quick hacks accompanied with a malicious link. "People will download and try to do what they do in the video, but in actuality they're going to infect themselves," he adds. 

While stealers aren't a new threat, old ones were more focused on passwords and browser histories. New stealers are beginning to focus on cryptocurrency wallets and their passwords, and to seek them out when scanning target machines. Segura speculates there could potentially be a link between the YouTube videos promising free Bitcoin and the targeting of cryptocurrency wallets once Baldr lands on a victim's machine.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.