Grab-and-go Baldr malware enters the black market

Baldr has been linked to three prominent hackers in the Russian underground.
Written by Charlie Osborne, Contributor on

A new form of information-stealing malware called Baldr believed to be the work of experienced hackers is making the rounds in Russian underground forums.

On Tuesday, researchers William Tsing, Vasilios Hioureas, and Jérôme Segura from Malwarebytes published a report on the new malware strain, found to be newly-introduced to interested cybercriminals.

Information stealers such as Baldr have proven popular in rapid-fire attacks and phishing, given their ability to capture information including machine data, browser history, some stored passwords -- depending on how and where they are buried -- and valuable files.

Baldr is no different. The malware has "high-level functionality" and the team says is by no means a script kiddie effort thrown together for quick cash.

Instead, Baldr is able to gather user profile data including browser information, as well as detecting the existence of cryptocurrency wallets, VPNs, Telegram, and Jabber. The malware then cycles through the files and folders of key PC locations in order to extract information from important file types.

The data theft then begins, shotgun-style, with .DOC, .DOCX, .LOG and .TXT files of particular interest to the malware's operators. Baldr is able to grab an entire file's contents for transfer to its command-and-control (C2) server.

It is interesting to note that the malware's developers have not tried to obfuscate the data transfer in any way -- at least, at present. Rather than send the information across slowly in a trickle less likely to be noticed, there is simply one large, bulk transfer.

Baldr's operators can also grab screenshots of the victim system should they wish and the malware also comes with a panel that allows customers to view infection statistics and retrieve stolen data.

See also: A basic guide to diving into the dark web

After completing the data theft, the malware does not maintain any form of persistence. There is also no propagating method included so Baldr is not currently able to spread itself across corporate or networked environments.

"Unlike many banking Trojans that wait for the victim to log in to their bank's website, stealers typically operate in a grab and go mode," the researchers say. "This means that upon infection the malware will collect all the data it needs and exfiltrate it right away. Because often such stealers are non-resident (no persistence mechanism), unless they are detected at the time of the attack, victims will be none-the-wiser that they have been compromised."

Baldr is written in C++ but reverse engineering was not an easy task. The malicious code is hidden through wrapper functions and utility classes, with layers of separate classes and modules that make unpicking Baldr a time-consuming activity. There are also over 100 unique functions called through separate threads to make analysis even more challenging.

TechRepublic: Half of online banks allow hackers to steal your money

The malware has been spotted through a number of different distribution vectors, including Trojanized apps and software disguised as hacking tools and cracks, a fake Bitcoin miner, and during a drive-by campaign involving the Fallout exploit kit.

Malwarebytes believes that Baldr is likely the work of three prominent hackers who operate on Russian forums.

The first is "Agressor," -- also known as Agri_MAN -- an individual known for selling hacking tools as far back as 2011. The trader operates a shop offering a variety of Baldr builds. Overdot, the second hacker, has previously been associated with the Arkei stealer and seems to focus on sales and customer service.

CNET: US reportedly no longer demands Huawei ban from Germany 

The third player is LordOdin, a developer who has been spotted posting to try and showcase the new malware and its functions as competition to rival products.

According to the company, Baldr has been met "positively" since its launch in late 2018.

"Baldr is a solid stealer that is being distributed in the wild," Malwarebytes said. "Its author and distributor are very active in various forums to promote and defend their product against critics. Baldr will have to compete against other stealers and differentiate itself. However, the demand for such products is high, so we can expect to see many distributors use it as part of several campaigns."

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage


Ukrainian organizations warned of hacking attempts using CredoMap malware, Cobalt Strike beacons

Ukrainian organizations warned of hacking attempts using CredoMap malware, Cobalt Strike beacons

How decentralization and Web3 will impact the enterprise
web 3.0 3d art

How decentralization and Web3 will impact the enterprise

The 5 best camping gear and tools of 2022

The 5 best camping gear and tools of 2022

Yard & Outdoors