A new malware named Baldr, is available on the cyberspace

Since the beginning of the year, there was noticed increased activity and development of new stealers. Stealers typically operate in grab-and-go mode. This means that upon infection, the malware will collect all the data it needs and exfiltrate it right away. They are good at capturing browser history, stored passwords, and cookies, stealers will also look for files that may contain valuable data.

The newest on the cyberspace is Baldr, recently found by cybersecurity researchers.

Baldr is forged from three main malware: Aggressor for distribution, Overdot for sales and promotion, and LordOdin for development. Was first spotted in January, on popular clear-net Russian hacking forums.

Overdot posts a majority of advertisements across multiple message boards provide customer service via Jabber and addresses buyer complaints in the reputational system used by several boards.
LordOdin will monitor and like posts surrounding it. LordOdin appears to be the primary threat used by hackers to manage Baldr.

Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;

Baldr’s functionality:

  • user profiling
  • sensitive data exfiltration
  • key locations and application data it searches:
    AppData\Local\Google\Chrome\User Data\Default
    AppData\Local\Google\Chrome\User Data\Default\Login Data
    AppData\Local\Google\Chrome\User Data\Default\Cookies
    AppData\Local\Google\Chrome\User Data\Default\Web Data
    AppData\Local\Google\Chrome\User Data\Default\History
    AppData\Roaming\Exodus\exodus.wallet
    AppData\Roaming\Ethereum\keystore
  • file grabbing
  • screen capture
  • network exfiltration

During a malware analysis, it was found that the payload uses highly obfuscation and packer usage techniques.
The code base of this malware is not as linear as you think. All functionality is heavily encrypted, in wrapper functions, and utilizes a ton of utility classes. Each of its actions is executed through a separate thread.

In the final stage of its data collection, it will save the filename of each .txt or .doc it finds, and store the file’s contents in various arrays.

Baldr is a powerful stealer that is being distributed in the cyberspace. Its creator and distributors are active in various forums to promote and defend their product against critics. Baldr has already got many versions, which demonstrates that its creator is interested in developing new features because the demand for such products is high

Baldr MD5:
5464be2fd1862f850bdb9fc5536eceafb60c49835dd112e0cd91dabef0ffcec5
1cd5f152cde33906c0be3b02a88b1d5133af3c7791bcde8f33eefed3199083a6
7b88d4ce3610e264648741c76101cb80fe1e5e0377ea0ee62d8eb3d0c2decb92
8756ad881ad157b34bce011cc5d281f85d5195da1ed3443fa0a802b57de9962f

We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.