A new information stealer has been detected which could become a long-term threat. The Baldr information stealer is not especially sophisticated and lacks persistence, but it can exfiltrate data quickly once downloaded in a ‘smash and grab’ attack.
The Baldr information stealer will not survive a reboot and is incapable of spreading to other devices, but for most threat actors that will not pose any problems. Once downloaded, Baldr will search commonly used locations for sensitive information and will exfiltrate all data found in one batch.
Baldr extracts sensitive information from Telegram sessions, FTP programs, cryptocurrency wallets, VPN client records, Jabber logs, SQL databases, and browser profiles. The malware also searches for text documents and can extract and exfiltrate data from log, docz, doc, and txt files.
Since the malware is short lived, it is unlikely to be detected by standard AV solutions. That said, no efforts have been made to hide the transfer of data from an infected machine. Regardless of the amount of data that is exfiltrated, the process is not hidden in any way.
The malware has a short life cycle. The developers appear to be testing the malware and fixing bugs and there have been many updates performed over the past few months.
An analysis of the malware by Maywarebytes indicates the Baldr information stealer has been developed to be a long-term malware threat. Malwarebytes researchers explain that the malware “Is not the work of a script kiddie. Whether we are talking about its packer usage, payload code structure, or even its backend C2 and distribution, it’s clear Baldr’s authors spent a lot of time developing this particular threat.”
The malware is currently being sold on underground forums for $150. Users of the malware can use an administration panel to find out how many users have been infected, what data has been extracted, the location of the victim, and other information.
Three threat actors are known to be working on the malware. One is involved with its distribution, another is promoting and selling the malware, and another is working on development with the malware’s creators. In the case of the latter, the threat actor is also collaborating with the developer of another malware variant called Arkei, although the two malware variants are separate projects.
The malware is being distributed through multiple channels, including hacking tools and cracks and various other Trojanized applications. The malware has also been added to the Fallout exploit kit.