MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 163: BEWARE OF “Baldr Malware”

Reference Number: ACG-CSB 050219163

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

         Baldr is one of the most harmful computer virus that you will ever experience. This nasty malware is capable of providing sheer damage in your PC. It slithers into the targeted computer by stealth without the permission of the user. It usually bundle itself with a common freeware application and enters the system when the user download such application in the PC. Once installed, Baldr Stealer virus will compromise your entire computing machine. It modify all crucial system settings and making very hard for the victims to use the infected computer. It even mess-up with the registry files, damage crucial system files and infect boot sector. It drop such malicious code in a computer that allows the threat to execute itself automatically at system start up.

         Baldr malware was purposely made to steal various browser data such as cookies, passwords, browsing history and auto-fill forms. Additionally, it is capable of stealing wallet.dat files that are created by Bitcoin clients. These files are used to store private key information in them. Baldr also records data from messaging application, collects data from Virtual Private Network (VPN) clients and gathers records from web bowser application . Moreover, it can be used to steal files that are placed on Desktop, in Documents and Downloads folders. It can be used to make screenshots as well. Additionally, Baldr collects system information such as geolocations, IP addresses, Computer name, username, system's details such as MAC address, screen resolution, operating system's language, amount of added RAM, list of installed programs and other information of this type.

         Baldr malware is distributed via malicious apps, malicious software or  disguised hacking tools, and fake bitcoin miners. Quite often cyber criminals send through emails (spam campaigns). They attach malicious files and hope that at least some of the recipients will open them. Typically, these attachments are JavaScript files, Microsoft Office or PDF documents, archives like ZIP, RAR, executable files (.exe).

         For criminals using the information stealer, they can then reuse those credentials based on the target,  They can see how many targets they were able to successfully infect, where they are located and sort them by operating system versions.

RECOMMENDATION

All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of being infected by Baldr Malware:

  • Do not open attachments or web links that are included in emails received from unknown sender;
  • Update installed software using implemented functions or tools provided by official software developers only;
  • Keep all software up to date. Apply stable and secure updates as soon as they become available to patch up vulnerabilities that hacker may exploit;
  • Make sure that business is have a firewall installed on the network and turned on at all times;
  • When using a Microsoft Operating System, Download Microsoft Security Essentials which is free or use another reputable antivirus and anti-malware programs; and
  • Be wary in visiting unsecured websites and downloading software. Recently, ransomware has been found in advertisement on popular sites and often mines “free” software are embedded with malware.

For additional information, please refer to the following websites:

POINT OF CONTACT

         Please contact PMAJ ANGELICA STARLIGHT L. RIVERA, Asst. Chief, ARMD thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.