A new stealer malware dubbed Baldr has been taking the cybercrime market by storm with its capabilities including user profiling, sensitive data exfiltration, shotgun file grabbing, screencapping, and network exfiltration.
Malwarebytes researchers have been monitoring the malware for the past few months and said it is the work of three threat actors: Agressor handled distribution, Overdot sales and promotion, and LordOdin development, according to an April 9 blog post.
Stealers like this are also popular among cybercriminals than more specialized banking trojans and because their high level functionality is relatively straight forward, providing a small set of malicious abilities.
“This type of malware is popular among criminals and covers a greater surface than more specialized bankers,” researchers said in the post. “On top of capturing browser history, stored passwords, and cookies, stealers will also look for files that may contain valuable data.”
Researchers emphasized the stealer is different from a normal banking trojan. While many banking Trojans wait for the victim to log into their bank’s website, stealers typically operate in grab-and-go mode so upon infection, the malware will collect all the data it needs and exfiltrate it right away.
Stealers also have no persistence mechanisms so unless the malware is detected at the time of attack, victims often don’t even know they have been compromised.
Baldr first appeared in January 2019 and quickly generated positive reviews on most of the popular clearnet Russian hacking forums due to its reputation for reliability and relatively good communication team behind it, researchers said. Researchers have already noted a few different versions of the malware indicating that it has short development cycles with the latest version 2.2 announced on March 20.
