A new Golang-based information stealer malware, dubbed Titan Stealer, is being advertised by threat actors through their Telegram channel. Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi first documented the malware in November 2022 by querying the IoT search engine Shodan. Titan Stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files. It is offered as a builder, allowing customers to customize the malware binary to include specific functionalities and the kind of information to be exfiltrated from a victim's machine. The malware employs a technique known as process hollowing to inject the malicious payload into the memory of a legitimate process known as AppLaunch. It is also capable of gathering the list of installed applications on the compromised host and capturing data associated with the Telegram desktop app. The stolen data is then transmitted to a remote server under the attacker's control as a Base64-encoded archive file. The malware comes with a web panel that enables adversaries to access the stolen data. The exact modus operandi used to distribute the malware is unclear, but traditionally threat actors have leveraged a number of methods, such as phishing, malicious ads, and cracked software. One of the primary reasons for using Golang for their information stealer malware is because it allows them to easily create cross-platform malware that can run on multiple operating systems, such as Windows, Linux, and macOS. Additionally, the Go compiled binary files are small in size, making them more difficult to detect by security software. This development follows the emergence of another Go-based malware referred to as Aurora Stealer, which is being used by several criminal actors in their campaigns. The malware is typically propagated via lookalike websites of popular software, with the same domains actively updated to host trojanized versions of different applications. It has also been observed taking advantage of a method known as padding to artificially inflate the size of the executables to as much as 260MB by adding random data so as to evade detection by antivirus software. Recently, a malware campaign has been observed delivering Raccoon and Vidar using hundreds of fake websites masquerading as legitimate software and games. Team Cymru noted that Vidar operators have split their infrastructure into two parts; one dedicated to their regular customers and the other for the management team, and also potentially premium / important users.
This Cyber News was published on thehackernews.com. Publication date: Tue, 31 Jan 2023 03:40:03 +0000