A rapidly evolving and difficult to detect information stealer is exhibiting potential for targeting businesses, according to security researchers.
This new information stealer, dubbed Baldr, is “skillfully crafted for a long-running campaign,” according to researchers at Malwarebytes. Baldr first appeared in January this year and quickly generated many positive reviews on most of the popular clearnet Russian hacking forums, Malwarebytes researchers said in a blog post detailing the distribution and functionality of version 2.2 of Baldr.
The emergence of this information stealer comes at a time when researchers report an uptick in info-stealer activity, said Jérôme Segura, head of threat intelligence at Malwarebytes Labs.
“This new stealer is very interesting in the sense that they’re trying to push out new features and functionality in the market; there’s active development of the code for it,” Segura said. “Based on the efforts of the developers to create a piece of malware that is powerful, efficient, but also small, we’re seeing this as a threat to businesses and consumers.”
Information stealer is a type of malware that typically operates in a grab-and-go mode. It gathers data from a victim computer to send it to the attacker and typically targets credentials used in online banking services, social media sites, emails or FTP accounts, according to Malwarebytes.
Apart from capturing browser history, stored passwords and cookies, stealers like Baldr will also go after files containing valuable data, researchers added.
Baldr is a nonresident stealer, Segura said, which means it will infect the user and will quickly grab all the information that it needs, then package that information into a zip file and send it back to the criminal that’s using this information stealer.
“Then it will just vanish; it will auto delete itself,” he said. “Because it’s trying to evade antivirus detection and is nonresident, it makes it much more difficult to know whether you’ve been infected or not. If you were running a scan afterward you may not actually find any traces of it because it’s already done the damage and already exfiltrated the data.”
For criminals using the information stealer, they can then reuse those credentials based on the target, he said. They can see how many targets they were able to successfully infect, where they are located and sort them by operating system versions, he added.
“It’s a very dangerous threat,” he said. “They can definitely triage their victims and jump to the most interesting ones. They can do a lot of things depending on [what they got]. If it’s credentials for other online services, it could actually lock the victims out of those services, impersonate them, [and] trigger password resets for other services that the user may have subscribed to.”
Baldr distribution, functionality and how to defend against it
Baldr is believed to be the handiwork of three threat actors — Agressor, Overdot and LordOdin — who operate on Russian underground forums. The information stealer utilizes Agressor for distribution, Overdot for sales and promotion, and LordOdin for development, researchers found.
Jérôme SeguraHead of threat intelligence, Malwarebytes
Researchers noticed Baldr being distributed in the wild via different campaigns, Segura said, like drive-by exploit kit campaigns and also via social engineering-based campaigns using alleged bitcoin generator applications promoted on YouTube.
For now, the Baldr information stealer targets people that, for the majority at least, use some kind of a social engineering approach, people who are trying to download software for free and crack it or get bitcoins for free, Segura said.
“What we’ve seen is a number of videos posted to YouTube which are advertising a program that apparently generates free bitcoins — which sounds like a scam and it is,” he said. “People are going to download it and then they infect themselves with this stealer.
“The ironic part is this stealer actually looks for a variety of cryptocurrency wallets. So, you’re not going to get any free bitcoin, but if you were somebody who was using cryptocurrencies and you had private keys for your crypto wallet in your computer, this particular stealer will grab it or your password and other information to actually steal those cryptocurrencies from you,” Segura said.
Baldr’s main functionality can be broken down into five steps, researchers said. It starts by collecting a list of user profile data, including user account name to OS type. It then goes through files and folders within key locations of the victim computer, looking for sensitive information. Baldr then carries out “ShotGun” file grabbing — contents of doc, docx, log and txt files are the targets in this stage. Baldr’s last step in data-gathering is to give the controller the option to grab a screenshot of the user’s computer. In the final stage, it exfiltrates the data and prepares it to send through the network.
Given that attackers use exploit kits to distribute Baldr, businesses should keep their computers up to date and reduce their attack surface by removing unnecessary plugins. The malware being nonresident, detection of this stealer has to be done during the infection process, he said.
“System administrators could monitor specific outgoing connections because if you’re able to detect when the malware contacts its command-and-control server, you could block that attempt, thereby preventing the actual theft of data, which really matters in the end,” he added.