In today’s blog post, researchers said that Baldr has earned positive reviews on Russian hacking forums for its use of three threat actors: Agressor for distribution, Overdot for sales and promotion and LordOdin for development. However, it’s not only among Russian hackers that the new malware is making waves.
“In our analysis of Baldr, we collected a few different versions, indicating that the malware has short development cycles. The latest version analyzed for this post is version 2.2, announced March 20,” wrote researchers William Tsing, Vasilios Hioureas, and Jérôme Segura.
Typically, banking Trojans need a user to log into their bank’s website, but these grab-and-go stealers are different from traditional banking Trojans because they are largely able to steal information without the victims realizing they’ve been compromised.
“This means that upon infection, the malware will collect all the data it needs and exfiltrate it right away. Because such stealers are often non-resident (meaning they have no persistence mechanism) unless they are detected at the time of the attack, victims will be none-the-wiser that they have been compromised,” researchers wrote.
Analysis suggests that the new malware is not the work of a script kiddie. “There is nothing ground breaking as far as what it’s trying to do on the user’s computer, however, where this threat differentiates itself is in its extremely complicated implementation of that logic.”
The new stealer has reportedly been distributed through fake YouTube videos that promise programs that will generate free Bitcoins. Researchers suspect that the actors believe they are on to something good, as the stealer has evolved through multiple versions in only a few short months. It is expected that this threat will continue to evolve and grow more popular with additional features.
“Baldr is a solid stealer that is being distributed in the wild. Its author and distributor are active in various forums to promote and defend their product against critics,” the authors wrote.