Baldr Stealer Malware hits Mainstream

BLUF (Bottom Line Up Front)

  • Don’t store your passwords in your browsers
  • Delete your browsers’ cookies
  • Monitor your connections
  • Use a Virtual Machine for browsing untrusted websites
  • Not related to Baldr Information Security

What it Is

Baldr Malware is classified by the Malware Bytes research team as stealer malware and recently several news articles have come out about it. It’s being lauded as well built, having a good release cycle, and well obfuscated.

As stealer malware it focuses on ripping out any relevant files, packing them up and getting them out. It’s effectively a man just breaking the jewelry store cases, tossing the diamonds in a bag and running as fast as he can. Speeds the name of the game more so than stealth. It’s fileless, meaning it never saves a file to the hard drive making it still decently stealthy, and its use of obfuscation still makes it harder to understand. However, due to it being built to last it’s capabilities and limitations may change with releases down the line.

In Baldrs current release it’s grabbing passwords saved in browsers, cookies, and common document file extensions, e.g. .docx & .txt and exfiltrating them with little to no attempt to be discrete.

Dealing with The Baldr Stealer Malware

The Grab

While antivirus vendors are already rolling indicators of compromise into their software to help mitigate the new threat, the best protection for loss of data will always be not to have it. The first few locations Baldr Malware is hunting for shouldn’t have any valuable data in them if you’re following best practices. Not saving your passwords in your browser and instead opting for a password solution like LastPass or its open source brother KeePass would defuse part of the problem. Wiping cookies when you close your browser another piece of the problem which leaves us with the other documents it looks to steal. Unfortunately, just saying “Encrypt all the things” isn’t really a solution.

Tools like BitLocker can help in encrypting your data at rest, offering full hard drive encryption. However, there’s no reason to believe the data wouldn’t be decrypted when Baldr makes the request for the documents if it’s running with the right permissions. While BitLocker doesn’t decrypt the entire Hard Drive when you log in, anything requesting data at rest with your permissions or higher will be able to decrypt it. Data at rest encryption usually has more to do with physical theft than digital.

The Go

Exfiltration prevention is a more difficult practice to implement. Most security practices focus on preventing the entrance of malicious data, dealing with malicious software, not the exfiltration of your data. It can happen in a flash. In a traditional network with firewalls and intrusion devices in place, exfiltration can be identified by deviation in normal network traffic. On individual computers or in the BYOD world tools like Glass Wire though can make a huge difference. It forces the users to be prompted and accept new connections and notifies them of any, similar to how Windows prompts you for Admin access for running processes with elevated privileges.

Alternatively, don’t get compromised.


Baldr Information Security is in no way related to the Baldr Stealer Malware. It doesn’t have any relations to the author(s) or developer(s). A write up on its functionality can be found from Malware Bytes here. Additionally, Hasherezade on YouTube has already made a great video on its limitation and capabilities here.

Leave a Reply

Your email address will not be published. Required fields are marked *