A
new
Golang-based
information
stealer
malware
dubbed
Titan
Stealer
is
being
advertised
by
threat
actors
through
their
Telegram
channel.
“The
stealer
is
capable
of
stealing
a
variety
of
information
from
infected
Windows
machines,
including
credential
data
from
browsers
and
crypto
wallets,
FTP
client
details,
screenshots,
system
information,
and
grabbed
files,”
Uptycs
security
researchers
Karthickkumar
Kathiresan
and
Shilpesh
Trivedi
said
in
a
recent
report.
Details
of
the
malware
were
first
documented
by
cybersecurity
researcher
Will
Thomas
(@BushidoToken)
in
November
2022
by
querying
the
IoT
search
engine
Shodan.
Titan
is
offered
as
a
builder,
enabling
customers
to
customize
the
malware
binary
to
include
specific
functionalities
and
the
kind
of
information
to
be
exfiltrated
from
a
victim’s
machine.
The
malware,
upon
execution,
employs
a
technique
known
as
process
hollowing
to
inject
the
malicious
payload
into
the
memory
of
a
legitimate
process
known
as
AppLaunch.exe,
which
is
the
Microsoft
.NET
ClickOnce
Launch
Utility.
Some
of
the
major
web
browsers
targeted
by
Titan
Stealer
include
Google
Chrome,
Mozilla
Firefox,
Microsoft
Edge,
Yandex,
Opera,
Brave,
Vivaldi,
7
Star
Browser,
Iridium
Browser,
and
others.
The
crypto
wallets
singled
out
are
Armory,
Armory,
Bytecoin,
Coinomi,
Edge
Wallet,
Ethereum,
Exodus,
Guarda,
Jaxx
Liberty,
and
Zcash.
It’s
also
capable
of
gathering
the
list
of
installed
applications
on
the
compromised
host
and
capturing
data
associated
with
the
Telegram
desktop
app.
The
amassed
information
is
subsequently
transmitted
to
a
remote
server
under
the
attacker’s
control
as
a
Base64-encoded
archive
file.
Furthermore,
the
malware
comes
with
a
web
panel
that
enables
adversaries
to
access
the
stolen
data.
The
exact
modus
operandi
used
to
distribute
the
malware
is
unclear
as
yet,
but
traditionally
threat
actors
have
leveraged
a
number
of
methods,
such
as
phishing,
malicious
ads,
and
cracked
software.
“One
of
the
primary
reasons
[threat
actors]
may
be
using
Golang
for
their
information
stealer
malware
is
because
it
allows
them
to
easily
create
cross-platform
malware
that
can
run
on
multiple
operating
systems,
such
as
Windows,
Linux,
and
macOS,”
Cyble
said
in
its
own
analysis
of
Titan
Stealer.
“Additionally,
the
Go
compiled
binary
files
are
small
in
size,
making
them
more
difficult
to
detect
by
security
software.”
The
development
arrives
a
little
over
two
months
after
SEKOIA
detailed
another
Go-based
malware
referred
to
as
Aurora
Stealer
that’s
being
put
to
use
by
several
criminal
actors
in
their
campaigns.
The
malware
is
typically
propagated
via
lookalike
websites
of
popular
software,
with
the
same
domains
actively
updated
to
host
trojanized
versions
of
different
applications.
It
has
also
been
observed
taking
advantage
of
a
method
known
as
padding
to
artificially
inflate
the
size
of
the
executables
to
as
much
as
260MB
by
adding
random
data
so
as
to
evade
detection
by
antivirus
software.
The
findings
come
close
on
the
heels
of
a
malware
campaign
that
has
been
observed
delivering
Raccoon
and
Vidar
using
hundreds
of
fake
websites
masquerading
as
legitimate
software
and
games.
Team
Cymru,
in
an
analysis
published
earlier
this
month,
noted
that “Vidar
operators
have
split
their
infrastructure
into
two
parts;
one
dedicated
to
their
regular
customers
and
the
other
for
the
management
team,
and
also
potentially
premium
/
important
users.”
