Cyble – Titan Stealer: The Growing Use Of Golang Among Threat Actors
Category

Uncovering the Secrets of the Command and Control Panel

A new trend has been observed among Threat Actors (TAs) of using Golang for their information stealer malware. Golang, also known as Go, is a programming language developed by Google known for its simplicity, efficiency, and performance. Titan Stealer is a recent example of the use of Golang by TAs.

One of the primary reasons TAs may be using Golang for their information stealer malware is because it allows them to easily create cross-platform malware that can run on multiple operating systems, such as Windows, Linux, and macOS. Additionally, the Go compiled binary files are small in size, making them more difficult to detect by security software.  

Cyble Research and Intelligence Labs (CRIL) recently spotted one such malware – Titan Stealer. Our team also discovered multiple Command and Control (C&C) infrastructures associated with this Stealer targeting new victims. The image below displays the C&C information of Titan Stealer seen in the wild.

Figure 1 Titan Stealer CC Information 1
Figure 1 – Titan Stealer C&C Information

Over the course of our research, we observed that the Command and Control (C&C) panel of the Titan Stealer contains statistics about the victims and the stolen data.

At the time of our analysis, there were 94 entries in the panel, indicating that the malware has potentially infected multiple systems and possibly multiple Command and Control servers have been activated.

The image below shows Titan Stealer’s dashboard.

Figure 2 Titan Stealer TA Dashboard 1
Figure 2 – Titan Stealer TA Dashboard

The “My Account” section located in the panel of the Stealer provides information about the Threat Actor (TA) responsible for running this malware. This section includes the TA’s username, chat ID, subscription status, account expiry date, and options to reset the password.

The figure below displays the TA’s account details.

Figure 3 Titan Stealer TA Account Page 1
Figure 3 – Titan Stealer TA Account Page

The Titan Stealer panel includes a “Builder” page that allows TAs to create a customized version of the stealer executable. This executable can be compiled with a user-specified build ID and file extensions to grab and gather sensitive information from the victim’s machine using the domain name.

The figure below depicts the Logs panel of Titan Builder.

Figure 4 Titan Stealer Builder Page
Figure 4 – Titan Stealer Builder Page

Technical Analysis

We have identified multiple samples of the Titan Stealer in the wild, and for analysis, we used LEMONS.exe with SHA256 as 0e4800e38fb6389f00d9e35f1a65669fecb3abf141a2680b9b8a5b5d255ae2cb.

The figure below shows additional file details.

Figure 5 Titan Stealer Executable File Details 2
Figure 5 – Titan Stealer Executable File IDs

The unique build ID of the Go compiled binary is shown in the figure below.

Figure 6 Titan Stealer Build ID 1
Figure 6 – Titan Stealer Build ID

Titan stealer extracts system information such as IP, country, city, Username, Screen size, CPU model name, threads, and GPU.

The figure below shows the stolen system information from the victim’s machine.

Figure 7 Stolen System Information of Victim 1
Figure 7 – Stolen System Information of the Victim

Upon execution, the stealer searches for multiple cryptocurrency wallets by checking the AppDataRoaming folder.

The figure below shows the crypto wallets targeted by Titan Stealer.

Figure 8 Crypto Wallets targeted by the Titan Stealer 1
Figure 8 – Crypto wallets targeted by Titan Stealer

If the stealer identifies the wallets installed in the victim’s system, it grabs the related files and sends them to the C&C server. After checking wallets, the stealer then proceeds to scan the system for installed software and sends a list of installed software to its C&C server.

The figure below shows the installed software list enumerated by the stealer.

Figure 9 Installed Software Information Extracted by Titan Stealer 1
Figure 9 – Installed Software Information Extracted by Titan Stealer

The stealer then checks for installed web browsers to extract multiple browser information such as autofill, session cookies, history, passwords, etc.

The figure below shows the stealer targeting Chrome data.

Figure 10 Stealer Enumerating Chrome User Data 1
Figure 10 – Stealer Enumerating Chrome User Data

The stealer targets the following web browsers.

Mozilla Firefox Google Chrome Yandex Browser Opera GX Stable
Chromium Opera Stable Brave-Browser Vivaldi
Microsoft Edge 7Star Iridium Cent Browser
Kometa Elements Browser Epic Privacy Browser Uran
Citrio Coowon Liebao QIP surf
Orbitum Amigo Torch Comodo
360Browser Maxthon3 Nichrome CocCoc

The stealer then checks for installed web browsers to extract multiple browser information such as autofill, session cookies, history, passwords, etc.

The figure below shows the stealer enumerating the Steam Application.

Figure 11 Stealer Enumerating Steam 1 1
Figure 11 – Stealer Enumerating Steam
  • The stealer enumerates and grabs text and document files that are present in the locations, including AppDataRoaming, Desktop, and Downloads.
  • The stealer now targets FTP clients such as FileZilla and GHISLER and steals FTP server credentials.
  • The stealer also targets and steals Telegram data stored at the location C:Users<user>AppDataRoamingTelegram Desktoptdata, as shown in the figure below.

The below figure shows that the stealer is enumerating the Steam and Telegram application.

Figure 12 Stealer Enumerates FTP applications and Telegram 1 1
Figure 12 – Stealer Enumerates FTP applications and Telegram

C&C Communication:

Finally, the stealer compresses the stolen data into a zip file and converts the zip file into Base64 encoded string. This data is then sent to 77[.]73[.]133[.]85:5000/sendlog.

The figure below shows the Data exfiltration of Titan stealer

Figure 13 Data
Figure 13 – Data Exfiltration

The figure below shows the contents of the zip file sent to the C&C server.

Figure 15 Data Stolen by the Titan Stealer
Figure 14 – Data Stolen by the Titan Stealer

Conclusion

Information stealer malware can be highly dangerous as it can extract confidential and vital information from an infected system, resulting in financial damage.

Additionally, the attacker can use the stolen credentials to carry out identity theft and attack other victims. Such breaches can have severe consequences, especially if an organization’s information is compromised.

Cyble Research and Intelligence Labs (CRIL) will continue monitoring the new malware strains and phishing campaigns in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.

Our Recommendations

  • The initial infection may happen via phishing websites, so enterprises should use security products to detect phishing websites.
  • Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices. 
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs. 
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Execution T1204 User Execution
Credential Access T1003
T1552
OS Credential Dumping
Credentials in Registry
Discovery T1082
T1518
T1083
T1087
System Information Discovery
Security Software Discovery
File and Directory Discovery
Account Discovery
Collection T1005 Data from Local System
Command and Control T1071
T1095
Application Layer Protocol
Non-Application Layer Protocol

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
0f3ac2b54489cfb63beffdec269c9f0e
2155e10488f0e1bec472c6c80ab23271c94f18e8
0e4800e38fb6389f00d9e35f1a65669fecb3abf141a2680b9b8a5b5d255ae2cb
MD5
SHA1
SHA256
Titan Stealer
b07263f74d432404b68c0bb1ad2f7844
5936d4e9771ff57ac41852eae6865418fe041e1f
6e96dcad29a10b63f89f50040f107cdd29e850aa21c5831344976953f6704ff5
MD5
SHA1
SHA256
Titan Stealer
00f0b502e17c9525e9e52ac8f524b525
a51f8ce5cc8bf6c82bcec3caf1836059d729ebe0
28ed2fded652523af511803dbea91b8cefc040ecec703b5308a6c849fb009888
MD5
SHA1
SHA256
Titan Stealer
b7729d9da4b68849baad56b115fcad79
f380628ad32e7a2b805e73802d9c33b3b19ccd23
32e1fafe04aa05424aaf18bca254760e87bba0114a16788a06768233ea9b70ab
MD5
SHA1
SHA256
Titan Stealer
d79252fc03409494c21963842bb880c7
94efe24e005bfb0158559978a7555800bc2a0415
129c9bdfe44b7b79abf04f56b35a65edd43d63b6294c7f05a3d140413533f385
MD5
SHA1
SHA256
Titan Stealer
7f46e8449ca0e20bfd2b288ee6f4e0d1
9620f97ab57a8c274f661a70c96f546e6fd30f82
421dbec55ce3481c5cecb630b4d216bacd07ce35a912abe57af81a3641414e83
MD5
SHA1
SHA256
Titan Stealer
a98e68c19c2bafe9e77d1c00f9aa7e2c
90097f106675b3ee460a9d32f94d15cb6f8daefe
4264a0c8d7acc6f10539285aa557a2d9d0298285b0a75a51a283241ccf11c94f
MD5
SHA1
SHA256
Titan Stealer
82040e02a2c16b12957659e1356a5e19
a4bc61e671875a5a63f3221b9e04d9295bc8e5be
a7dfb6bb7ca1c8271570ddcf81bb921cf4f222e6e190e5f420d4e1eda0a0c1f2
MD5
SHA1
SHA256
Titan Stealer
2bb3b6a9e445047087fe27ecb1cac2dc
4221774bb845ec56aa02b63dcb515f177fe31683
dd3730841bb62b131a08cb37fbd8e1e541fb9cab6baf6c378e84d1c77e858e3a
MD5
SHA1
SHA256
Titan Stealer
6e090ecf5cc303cf305932c7998e8553
87c9bd18058ded5cc0d3e0d409a27c485a9dcc7a
e4584bb5db986d9f64297863cd5a7c4062aeeb7e4775dbda4d93d760406165a8
MD5
SHA1
SHA256
Titan Stealer
cbe8e15c575d753324413f917ecbe245
b5f00f28d9c7dd66df6d2151a6fb52d908504b10
e01264912f6b5d3f3cd84261b4b19408c317e06f83292d6f2ca87ebfb0b71fdc
MD5
SHA1
SHA256
Titan Stealer

Source: https://blog.cyble.com/2023/01/25/titan-stealer-the-growing-use-of-golang-among-threat-actors/