Description
A new Golang-based information stealer malware called Titan Stealer was seen being showcased by a threat actor through their Telegram.
Summary
This new malware is sold as a builder, where any cybercriminal can customize the binary to include specific functionalities and which type of information to exfiltrate. It is capable of stealing different kinds of information from infected systems ranging from credential data stored in browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files. Some of the major web browsers targeted by Titan include Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, and Iridium Browser, among others. The crypto wallets targeted are Armory, Atomic, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash.
Titan Stealer is written using the Go language and it is believed that this language is used because of its simplicity and its ability to execute on different operating systems. Although it is unclear how Titan is propagated at this time, it is suspected that cyber criminals leverage traditional methods such as phishing, malicious ads and cracked software. Upon execution, titan would use a technique known as process hollowing to inject its malicious code into the memory of a legitimate Microsoft .NET process called AppLaunch.exe. The malware executable runs from the memory region of the AppLaunch.exe process. Stolen information is transmitted as a Based64-encoded archive file to a remote server that is controlled by the cybercriminal.
Indicators of Compromise
The file hashes and domain/URL associated with the Titan Stealer are as follows:
Stage 1 – e7f46144892fe5bdef99bdf819d1b9a6 (MD5)
Stage 2 – b10337ef60818440d1f4068625adfaa2 (MD5)
Remediation
To protect yourself against malware attacks like the Titan Stealer, it is recommended to:
Update passwords regularly and employ a strong password policy.
Avoid downloading applications from untrusted websites. Be wary of cracked software as well since cyber criminals tend to bundle malware with these software.
Avoid URLs and attachments in spam emails.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: New Golang-based info stealer malware emerges.pdf
References
Lakshmanan, R. (2023, January 30). Titan Stealer: A New Golang-Based Information Stealer Malware Emerges. Retrieved from The Hacker News. https://thehackernews.com/2023/01/titan-stealer-new-golang-based.html
Kathiresan, K. (2023, January 23). The Titan Stealer: Notorious Telegram Malware Campaign Uptycs. Retrieved from uptycs. https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign