Author: Tim O'Connor
A revolutionary new type of malware toolset is starting to show up in dark web hacking forums. The new malware architecture is being called “Grab-n-Go”.
Until now, malware was designed to infect a computer, network or mobile device and stay resident collecting all of the information it can. The new grab-n-go malware does not wait around for a full virus scan nor does it try to infect other systems and, therefore, it can apparently avoid detection by both definition style and behavior-based anti-malware systems.
Recently we have seen the switch from brute force attacks to “spray attacks” that generate very little traffic and footprint, taking only the low-hanging information fruit before setting off alarms. This malware has a similar philosophy. It uses a very low profile, grabs personal information using screenshots, caches, browser history, crypto-currency wallets and commonly used files and then quickly uninstalls itself before detection.
The danger in this new malware development is not only that it is hard to detect but that it can leave victims never knowing they were hacked in the first place. It can get any type of information, even financial information, as it collects screen captures. Anything that is shown on a computer screen can be compromised. This includes passwords, account information, spreadsheets, emails, photos, blueprints, videos, new products, business plans, etc.
Code that has been obtained using this technique is currently being examined. It is called Baldr and appears to come from notorious Russian malware developers.
At first Baldr appeared to be poorly designed because it makes little effort to hide its transfer of data back to its master’s servers (command-and-control or C2). Researchers are now realizing that since it only makes a single transfer and then self-destructs, it has little need to hide because just seconds after it announces it presence, it is gone, along with the victim’s data.
Baldr does not need to reproduce itself because it spreads through human interaction with social media sites, fake ads and clickbait websites. It is only designed to have an initial infection and to quickly leave not giving time for detection or investigation.
After more investigation, it turns out that it is not a poorly designed piece of code after all. Baldr is highly sophisticated malware and has thwarted all attempts by researchers to analyze the source code.
Due to the fact that we currently can only detect Baldr-style malware after it has sent its data package and gone, the best way to protect ourselves and our organizations is good security awareness training that focuses on understanding click-bait, browsing hygiene and social media scam awareness.
If you’d like to talk through any security questions or concerns, please reach out! We’d love to be of service.