Stealer malware steals information. Its primary purpose is neither to spread to other computers nor to obtain stealthy persistence on an infected computer. It can be like a smash-and-grab burglar — it grabs what it came for, and that’s it. It steals browser histories, passwords and cookies, and files that may contain sensitive data. It’s different from spyware, which seeks stealthy persistence to observe over time.
Generally speaking, stealers don’t need to be sophisticated. They are not normally designed for long-term market presence with the updates and improvements that come with mainstream trojans like Dridex or ransomware like GandCrab. But now there’s a new stealer — Baldr — that looks like it may be around for a while. Baldr first appeared towards the end of 2018, and has been analyzed by Malwarebytes. The researchers comment, “During the short time span of a few months, Baldr has gone through many versions, suggesting that the author is fixing bugs and interested in developing new features.”
Several distribution channels for Baldr have been discovered. The Malwarebytes researchers found it disguised as a tool to generate free bitcoins advertised on YouTube; and have also found it in a drive-by campaign involving the Fallout exploit kit. The threat hunter known as @MisterCh0c tweeted on 31 March, “#baldr stealer spreading through “legit” CS:GO cheat videos”; and on 2 April, “Here’s the original website: hxxp://ethereums.network/. Spreading #baldr through all kind of fake $crypto apps.”
Malwarebytes links Baldr to three threat actors: Agressor for distribution (possibly as an affiliate), Overdot for sales and promotion, and LordOdin for development — with the latter two being the primary actors.
What Baldr does is relatively straightforward — there is nothing groundbreaking in its functionality. Where it differs from other stealers, however, is in the complicated implementation of that functionality. “Whether we are talking about its packer usage and payload code structure or even its backend C2 and distribution,” comment the researchers, “the authors spent a lot of time to try and make this a long running campaign.”
Baldr goes through five stages: it profiles the victim computer; it exfiltrates sensitive data; it grabs DOC, DOCX, LOG and TXT files; it may take a screenshot; and it sends the collected data back to its C2 server. With typical ‘smash-and-grab’, it does not attempt to disguise this final exfiltration. Regardless of the size of the network transfer, Baldr has done its job and stolen the data — at this point there is no attempt to disguise its presence.
If the malware hasn’t been discovered before this point, it will certainly be discovered now on any business network. This lack of stealth, lack of persistence, and absence of any spreading mechanism means that in a corporate environment, each employee would need to be manually targeted with a unique attempt.
The Baldr code is heavily obfuscated. Once exposed, however, the researchers were able to examine the payload. This is not easy to analyze, despite being written in an interpreter language (C#). “All functionality is heavily abstracted, encapsulated in wrapper functions and utilize a ton of utility classes,” note the researchers. And then, “Every minute action that this malware performs is executed through a separate thread. This was obviously done to complicate the life of the analyst.” There are more than 100 unique function being called inside of threads throughout the code base; which could become thousands with recursively called threads.
The first stage of operation gathers the user profile — cpu type, computer name, user accounts, OS and so on. The gathered data is stored in arrays that are flattened. Baldr then cycles the directories looking for application data such as stored user accounts. After this it looks for txt and doc files. It saves the filenames and stores the content in various arrays. Finally, before network connection and data transmission to the C2, it can take screenshots. Like other stealers, it comes with a panel that provides high level stats to the criminal user.
The researchers describe Baldr as a ‘solid’ stealer that is active in the wild. They point out that its author and distributor are both active on various underground forums to promote and defend the malware; and that it has evolved through numerous versions in just a few months. The implication is that Baldr is here for the long haul; and the criminal demand for stealers is so high that it will likely be used in numerous campaigns going forward.