The Baldr malware is a bit of an enigma. Appearing first in late 2018, researchers at Sophos have tracked it through four rapid revisions until suddenly, on May 31, 2019, the distributor (overdot) declared that further development and support had ceased. Users had been expecting the developer — thought to be LordOdin by Malwarebytes — to deliver a major upgrade to version 4.0.
It isn’t clear whether LordOdin has moved on to a different project, or whether this is simply a falling-out between developer and distributor. Meanwhile, it’s still in the wild. Sophos believes it was purchased from the distributor by more than 200 criminals, and the distributor has given license for them to continue using it at will.
Which leads to the second surprising element. Baldr is an efficient information stealer, but the business model for the developer was not so sophisticated. With a total of around 200 sales at an average of around $100 for a license for life (less in its early days, but $150 for the current version), the financial return over more than eight months is not good for modern malware. The GandCrab developers supposedly retired while claiming earnings of over $150 million per year.
The distributor, however, had a secondary income stream through selling stolen victim logs obtained through the C2 infrastructure to credential resellers.
Sophos (PDF) first detected Baldr being distributed to online gamers. YouTube videos would offer cheat tools for games such as Counter-Strike: Go or Apex Legends, but the link would lead to Baldr. It was also found with pirated versions of games and in weaponized, but otherwise legitimate, crypto miners.
As the customer base grew, so too did the distribution methods. The researchers highlight two detected methods: exploitation of the WinRAR vulnerability designated CVE-2018-20250; and use of a maliciously crafted RTF file to exploit the vulnerability designated CVE-2018-0802.
The highest number of Baldr detections occurred in May 2019, with the number falling off in June. It is low in number compared to established malware such as Trickbot, but global in nature, focused on Indonesia, the United States, Singapore, Brazil, India, and Germany. Russia was surprisingly the third most attacked region. Baldr is mostly sold on the Russian dark net, and it could be expected that Russian criminals would dominate purchases. Given the tacit understanding between state and hackers that they do not target Russia, this could imply non-Russian users. Alternatively, suggest the authors, it could be Russian criminals testing the malware on their own systems and skewing the figures.
Baldr itself is simply an information stealer. In this sense it is the old-fashioned burglary attack rather than the newer approach of persistent home invasion. Typically, it does its work in just 15 to 30 seconds. It does nothing fancy, like a browser hijack to steal credentials as they are entered at the keyboard, but simply looks around and steals anything it finds that might contain useful data.
It starts by profiling the system, collecting geo information and machine and operating system information. All of this collected data gets appended to a file called information.log. It then collects all saved credentials from any of more than 20 installed browsers, including Chrome, Edge, Firefox and Opera, and saves them to password.log.
Saved autocomplete information goes into autocomplete.txt; saved credit card information into cards.txt; cookies into cookies.txt; browsing history to history.txt; and visited domains into cookieDomains.txt.
Baldr also gathers data from cookies.sqlite places.sqlite, formhistory.sqlite, logins.json, key3.db and key4.db. “Places.sqlite,” notes Sophos, “contains a list of all the web pages a user visited, but also stores bookmarks and attributes for visited sites. Forensically speaking, this is the single most important file for forensic investigators (or crooks) to examine.”
It also steals FTP credentials from FileZilla and Total Commander; XMPP credentials from instant messaging clients such as PidginPsi, Psi+ and Jabber; VPN configuration files from ProtonVPN and NordVPN; and any wallets it can find. And Telegram credentials and data. And a screenshot of the current active desktop. Once the collection is complete, it dispatches an exfiltration package in a single encrypted (from version 3) file.
Although Baldr is unsophisticated in its intent, it is more sophisticated in its design — including, for example 9 obfuscation layers that cannot be remedied by standard automatic de-obfuscators. Version 3 also introduced a 3-second execution time delay probably designed to fool sandboxes, and a self-delete routine on completion.
While Baldr is basically an information stealer, it can be used in conjunction with other malware. It is able to download further files from the C2. “For example,” says Sophos, “we recently observed ransomware loading Baldr onto a victim’s machine, executing the stealer to glean data of value from a victim’s computer before starting the encryption routine.”
But despite its efficiency and success in the wild, Baldr has reached a hiatus. Its primary distributor, overdot, is even recommending an alternative malware, Krypton. Sophos suspects this is more to do with a disagreement between developer and distributor than complete abandonment by the developer. “Just as Baldr was on the road to take up some space in the cybercrime ring that for example AZORult’s demise left behind,” says Sophos, “it seems Baldr will take the fall now due to internal rivalry.” That said, we may well see more of Baldr in the future, perhaps under a different name.