Threat actors are advertising a new Golang-based information stealer malware dubbed Titan Stealer via their Telegram channel. “The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files,” reads a report from Karthickkumar Kathiresan and Shilpesh Trivedi.
The malware’s features were first reported by cybersecurity expert Will Thomas in November 2022. Titan is advertised as a malware builder, enabling users to customize the malware binary’s functionality and the type of data extracted from a victim’s computer. Upon execution, the malware uses the process hollowing technique to inject the malicious payload into the memory of a legitimate process known as AppLaunch.exe, the Microsoft.NET ClickOnce Launch Utility. Titan targets popular online browsers, including Google Chrome, Microsoft Edge, Opera, Mozilla Firefox, Microsoft Edge, Brave, Vivaldi, 7 Star Browser, Yandex, Iridium Browser, and others. The malware also attacks cryptocurrency wallets such as Ethereum, Exodus, Bytecoin, Coinomi, Armory, Armory, Edge Wallet, Guarda, Jaxx Liberty, and Zcash. Additionally, it collects data from the Telegram desktop app and compiles a list of the host’s installed programs. The gathered data is then sent as a Base64-encoded archive file to a remote server under the hacker’s control. The malware also includes a web panel that helps attackers to view the stolen data. Although the exact method of malware distribution is currently unknown, threat actors historically employed various techniques, including phishing, malicious advertisements, and cracked software.
“One of the primary reasons [threat actors] may be using Golang for their information stealer malware is because it allows them to easily create cross-platform malware that can run on multiple operating systems, such as Windows, Linux, and macOS. Additionally, the Go compiled binary files are small in size, making them more difficult to detect by security software,” reads Cyble’s technical analysis. The finding comes a little more than two months after SEKOIA announced Aurora Stealer, another Go-based malware that is being used by several malicious actors in their campaigns. The malware often spreads through websites that imitate well-known software, with the same domains being continuously updated to host trojanized versions of various applications. To avoid being detected by antivirus software, it has also been seen using a technique called padding to artificially inflate the size of the executables to as much as 260MB by adding random data. The discoveries follow a malware operation that was seen spreading Raccoon and Vidar using many fraudulent websites masquerading as legitimate programs.