Uncovering the Secrets of the Command and Control Panel
A new trend has been observed among Threat Actors (TAs) of using Golang for their information stealer malware. Golang, also known as Go, is a programming language developed by Google known for its simplicity, efficiency, and performance. Titan Stealer is a recent example of the use of Golang by TAs.
One of the primary reasons TAs may be using Golang for their information stealer malware is because it allows them to easily create cross-platform malware that can run on multiple operating systems, such as Windows, Linux, and macOS. Additionally, the Go compiled binary files are small in size, making them more difficult to detect by security software.
Cyble Research and Intelligence Labs (CRIL) recently spotted one such malware – Titan Stealer. Our team also discovered multiple Command and Control (C&C) infrastructures associated with this Stealer targeting new victims. The image below displays the C&C information of Titan Stealer seen in the wild.
Over the course of our research, we observed that the Command and Control (C&C) panel of the Titan Stealer contains statistics about the victims and the stolen data.
At the time of our analysis, there were 94 entries in the panel, indicating that the malware has potentially infected multiple systems and possibly multiple Command and Control servers have been activated.
The image below shows Titan Stealer’s dashboard.
The “My Account” section located in the panel of the Stealer provides information about the Threat Actor (TA) responsible for running this malware. This section includes the TA’s username, chat ID, subscription status, account expiry date, and options to reset the password.
The figure below displays the TA’s account details.
The Titan Stealer panel includes a “Builder” page that allows TAs to create a customized version of the stealer executable. This executable can be compiled with a user-specified build ID and file extensions to grab and gather sensitive information from the victim’s machine using the domain name.
The figure below depicts the Logs panel of Titan Builder.
Technical Analysis
We have identified multiple samples of the Titan Stealer in the wild, and for analysis, we used LEMONS.exe with SHA256 as 0e4800e38fb6389f00d9e35f1a65669fecb3abf141a2680b9b8a5b5d255ae2cb.
The figure below shows additional file details.
The unique build ID of the Go compiled binary is shown in the figure below.
Titan stealer extracts system information such as IP, country, city, Username, Screen size, CPU model name, threads, and GPU.
The figure below shows the stolen system information from the victim’s machine.
Upon execution, the stealer searches for multiple cryptocurrency wallets by checking the AppDataRoaming folder.
The figure below shows the crypto wallets targeted by Titan Stealer.
If the stealer identifies the wallets installed in the victim’s system, it grabs the related files and sends them to the C&C server. After checking wallets, the stealer then proceeds to scan the system for installed software and sends a list of installed software to its C&C server.
The figure below shows the installed software list enumerated by the stealer.
The stealer then checks for installed web browsers to extract multiple browser information such as autofill, session cookies, history, passwords, etc.
The figure below shows the stealer targeting Chrome data.
The stealer targets the following web browsers.
| Mozilla Firefox | Google Chrome | Yandex Browser | Opera GX Stable |
| Chromium | Opera Stable | Brave-Browser | Vivaldi |
| Microsoft Edge | 7Star | Iridium | Cent Browser |
| Kometa | Elements Browser | Epic Privacy Browser | Uran |
| Citrio | Coowon | Liebao | QIP surf |
| Orbitum | Amigo | Torch | Comodo |
| 360Browser | Maxthon3 | Nichrome | CocCoc |
The stealer then checks for installed web browsers to extract multiple browser information such as autofill, session cookies, history, passwords, etc.
The figure below shows the stealer enumerating the Steam Application.
- The stealer enumerates and grabs text and document files that are present in the locations, including AppDataRoaming, Desktop, and Downloads.
- The stealer now targets FTP clients such as FileZilla and GHISLER and steals FTP server credentials.
- The stealer also targets and steals Telegram data stored at the location C:Users<user>AppDataRoamingTelegram Desktoptdata, as shown in the figure below.
The below figure shows that the stealer is enumerating the Steam and Telegram application.
C&C Communication:
Finally, the stealer compresses the stolen data into a zip file and converts the zip file into Base64 encoded string. This data is then sent to 77[.]73[.]133[.]85:5000/sendlog.
The figure below shows the Data exfiltration of Titan stealer
The figure below shows the contents of the zip file sent to the C&C server.
Conclusion
Information stealer malware can be highly dangerous as it can extract confidential and vital information from an infected system, resulting in financial damage.
Additionally, the attacker can use the stolen credentials to carry out identity theft and attack other victims. Such breaches can have severe consequences, especially if an organization’s information is compromised.
Cyble Research and Intelligence Labs (CRIL) will continue monitoring the new malware strains and phishing campaigns in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.
Our Recommendations
- The initial infection may happen via phishing websites, so enterprises should use security products to detect phishing websites.
- Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 | User Execution |
| Credential Access | T1003 T1552 |
OS Credential Dumping Credentials in Registry |
| Discovery | T1082 T1518 T1083 T1087 |
System Information Discovery Security Software Discovery File and Directory Discovery Account Discovery |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 T1095 |
Application Layer Protocol Non-Application Layer Protocol |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 0f3ac2b54489cfb63beffdec269c9f0e 2155e10488f0e1bec472c6c80ab23271c94f18e8 0e4800e38fb6389f00d9e35f1a65669fecb3abf141a2680b9b8a5b5d255ae2cb |
MD5 SHA1 SHA256 |
Titan Stealer |
| b07263f74d432404b68c0bb1ad2f7844 5936d4e9771ff57ac41852eae6865418fe041e1f 6e96dcad29a10b63f89f50040f107cdd29e850aa21c5831344976953f6704ff5 |
MD5 SHA1 SHA256 |
Titan Stealer |
| 00f0b502e17c9525e9e52ac8f524b525 a51f8ce5cc8bf6c82bcec3caf1836059d729ebe0 28ed2fded652523af511803dbea91b8cefc040ecec703b5308a6c849fb009888 |
MD5 SHA1 SHA256 |
Titan Stealer |
| b7729d9da4b68849baad56b115fcad79 f380628ad32e7a2b805e73802d9c33b3b19ccd23 32e1fafe04aa05424aaf18bca254760e87bba0114a16788a06768233ea9b70ab |
MD5 SHA1 SHA256 |
Titan Stealer |
| d79252fc03409494c21963842bb880c7 94efe24e005bfb0158559978a7555800bc2a0415 129c9bdfe44b7b79abf04f56b35a65edd43d63b6294c7f05a3d140413533f385 |
MD5 SHA1 SHA256 |
Titan Stealer |
| 7f46e8449ca0e20bfd2b288ee6f4e0d1 9620f97ab57a8c274f661a70c96f546e6fd30f82 421dbec55ce3481c5cecb630b4d216bacd07ce35a912abe57af81a3641414e83 |
MD5 SHA1 SHA256 |
Titan Stealer |
| a98e68c19c2bafe9e77d1c00f9aa7e2c 90097f106675b3ee460a9d32f94d15cb6f8daefe 4264a0c8d7acc6f10539285aa557a2d9d0298285b0a75a51a283241ccf11c94f |
MD5 SHA1 SHA256 |
Titan Stealer |
| 82040e02a2c16b12957659e1356a5e19 a4bc61e671875a5a63f3221b9e04d9295bc8e5be a7dfb6bb7ca1c8271570ddcf81bb921cf4f222e6e190e5f420d4e1eda0a0c1f2 |
MD5 SHA1 SHA256 |
Titan Stealer |
| 2bb3b6a9e445047087fe27ecb1cac2dc 4221774bb845ec56aa02b63dcb515f177fe31683 dd3730841bb62b131a08cb37fbd8e1e541fb9cab6baf6c378e84d1c77e858e3a |
MD5 SHA1 SHA256 |
Titan Stealer |
| 6e090ecf5cc303cf305932c7998e8553 87c9bd18058ded5cc0d3e0d409a27c485a9dcc7a e4584bb5db986d9f64297863cd5a7c4062aeeb7e4775dbda4d93d760406165a8 |
MD5 SHA1 SHA256 |
Titan Stealer |
| cbe8e15c575d753324413f917ecbe245 b5f00f28d9c7dd66df6d2151a6fb52d908504b10 e01264912f6b5d3f3cd84261b4b19408c317e06f83292d6f2ca87ebfb0b71fdc |
MD5 SHA1 SHA256 |
Titan Stealer |
Related
Source: https://blog.cyble.com/2023/01/25/titan-stealer-the-growing-use-of-golang-among-threat-actors/