A new Golang-based information-stealing malware called titan stealer Promoted through Telegram channel by threat actors.
According to Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi, “Stealers can steal a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP It includes client details, screenshots, system information, retrieved files, and more.” Said in a recent report.
malware details first documented Cybersecurity researcher Will Thomas (@BushidoToken) queries IoT search engine Shodan in November 2022.
Titan is offered as a builder, allowing customers to customize the malware binary to include specific functionality and types of information to steal from the victim’s machine.
At runtime, the malware Hollow processing Injects a malicious payload into the memory of a legitimate process known as AppLaunch.exe, a Microsoft .NET ClickOnce launch utility.
Major web browsers targeted by Titan Stealer include Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser and Iridium Browser. The crypto wallets selected are Armory, Armory, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash.
It can also gather a list of applications installed on compromised hosts and capture data related to the Telegram desktop app.
The collected information is sent as a Base64-encoded archive file to a remote server under the attacker’s control. Additionally, the malware comes with a web panel that allows attackers to access the stolen data.
The exact tactics used to distribute the malware are still unknown, but traditionally attackers have used a variety of methods, including phishing, malicious advertising, and cracked software.
“One of the main reasons [threat actors] Information-stealing malware may use Golang because it makes it easier to create cross-platform malware that can run on multiple operating systems such as Windows, Linux, and macOS,” said Cyble. Said In our own analysis of Titan Stealer.
“Furthermore, binary files compiled with Go are smaller, making them more difficult for security software to detect.”
The development came just over two months after SEKOIA detailed another Go-based malware, Aurora Stealer. Aurora Stealer has been used in campaigns by multiple criminals.
Malware is normally propagated Via look-alike websites of popular software, the same domains are actively updated and host Trojan horse versions of various applications.
It has also been observed to artificially inflate executable sizes up to 260MB by adding random data to avoid detection by antivirus software, using a method known as padding.
The findings follow malware campaigns observed to deliver Raccoon and Vidar using hundreds of fake websites masquerading as legitimate software and games.
Team Cymru analysis Published earlier this month, “The Vidar operator has split their infrastructure into two parts: one dedicated to regular customers and one dedicated to the management team and potentially premium/important users. ”