Security researchers at cybersecurity firm SophosLabs have released a detailed report on Baldr, a new type of malware that first surfaced in January on Deep Web and then went out of circulation in June 2019 after a falling out between its creators and distributors. The malware was used to target PC gamers across the world. According to Sophos’ report, Indonesia (21%), the United States (10.52%), Brazil (14.14%), Russia (13.68%), India (8.77%) and Germany (5.43%) were among those that were most affected.
SophosLabs points out that usually, malwares like Baldr are sold on DarkWeb (where hard core cybercriminals lurk), but the authors behind the malware wanted to make it available to larger group of cybercriminals and so released it on Deep Web, that part of the World Wide Web which is not indexed by search engines and which lies between Surface Web and Dark Web.
Even though the malware is no longer in circulation on Deep Web, the researchers believe cybercriminals who have access to the malware can still rewrite it and use it to carry out fresh attacks under a different name. “Even though Baldr is currently off the deep market, it can still be used by cybercriminals who had previously purchased it, and is still a potential threat,” warned Albert Zsigovits, a threat researcher at SophosLabs, in a press statement.
The malware has been named Baldr as security researchers believe it to be the handiwork of LordOdin, a hacker active on Russian forums. Its circulation was handled by Agri_Man, a renowned malware distributor on Russian forums. Researchers at Malwarebytes Labs, another cybersecurity firm, point out that Baldr is a sophisticated malware that has been written skilfully for long running campaign, which is what makes it hard to detect.
Baldr scans through all AppData and temp folders on the victim’s computer, looking for sensitive data such as saved passwords, browser history, cached data, configuration files, cookies from a wide range of apps. It first sends a screen grab of the list of all the sensitive files and then the actual files to the hacker.