In late 2022, a new type of malware appeared on the cybersecurity radar. It has been named Titan Stealer and is one of the most effective stealer malware to have emerged.
Malware based on Golang
Before we delve into the new malware, we need to get Golang out of the way. This is where the Titan Stealer appeared.
Golang, or Go, is an open-source programming language designed and developed by Google. It is a programming language and program that is supposed to be simpler and easier to use than existing coding programs.
The official name of the programming language is Go, but both names are used - Golang is implicitly linked to Go, and many know that it's Go when Golang is mentioned. Golang is basically a contraction of "Go" and "language". In addition, the original domain name of the Go website was "golang.org" - which also explains the use of both names.
The programming language was developed because the coding was becoming too complex at Google. Therefore, they wanted to find a simpler language that would make the programmers' job easier.
It was developed by Robert Griesemer, Rob Pike and Ken Thompson from Google, all three of which were unhappy with the programming language they were using - so it was appropriate to develop a new one.
Go was born in 2009, and was made an open system in 2012, when the first version, 1.0, was released. It was warmly received by users because of its simpler programming language.
It is used by companies like Google, Netflix, Twitch, Dropbox and many others. One of the reasons it has become so popular is that the program can multitask, meaning you can have multiple tasks going on at the same time.
Go is used for, among other things:
- Programming
- Game development
- Cloud-based programming
Titan Stealers resurrected
The new malware first came to light on the messenger app Telegram. Telegram is a secured, encrypted and open-sourced app. Founded by Russian entrepreneur Pavel Durov in 2013, it is used all over the world (at the time of writing, Telegram has 550 million monthly users). The reason why cybercriminals advertised Titan on Telegram is because Telegram is encrypted and secure, so there is no risk of sharing personal information - this is used by actors to publish various newfound and created hacking methods.
The new malware was first discovered in November 2022 by a cybersecurity researcher.
What is Titan Stealer?
Titan Stealer is a malware that can steal various information from infected Windows machines. This concerns information such as:
- Credit information from browsers
- Crypto wallets
- FTP (File Transfer Protocol) information
- Screenshots
- System information
The challenge with Titan is that it allows malicious actors to customize what they want to use Titan for. This includes what information they want to steal and what damage they want to do to a victim's machine and software.
When they activate Titan, it triggers a technique called process hollowing. In short, this technique removes some of the benign coding in files and replaces it with malicious code that encrypts the files and compromises them.
As well as targeting files, Titan can also target internet browsers. These are browsers such as:
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
- Vivaldi
Some of the crypto wallets mentioned in connection with Titan attacks are:
- Armory
- Atomic
- Bytecoin
- Coinomi
- Edge Wallet
- Ethereum
In addition to the above features, Titan can also collect lists of installed apps on your devices - here it steals information associated with the Telegram desktop app.
Where does the stolen information end up?
Once the hackers have collected stolen information and they have control over files and documents, they send it to a "base" called Base64. This base is encrypted and secured. In addition, the actors access the data in a panel on their browsers, which further prevents victims from accessing the stolen data.
The exact way in which they spread the malware is still unclear. However, one can imagine that the hackers are using known methods such as phishing, MFA bombing, and unstable software. In addition, it is believed that the malware is spread by typosquatting and Trojan horses.
Experts believe that hackers are using Titan because it can operate between systems and platforms, so they can reside on multiple operating systems (e.g. Windows, macOS and Linux).
In addition, it also makes it harder for security systems to find the corrupt files that are installed with Titan Stealer. This is because the malicious files are so small that the security software has a harder time detecting them.
The motivation behind
When hackers use Titan Stealer, they are looking to steal personal data. This information can often be sold on the dark web, used for ransomware or blackmailing the victim.
The most common reason for hacking is for a financial gain. There are incredible sums of money involved when it comes to stolen personal data, including a victim's data on cryptocurrency.
Once a hacker has access to a victim's accounts, they can further exploit the fact that they can impersonate another person. When the hacker commits identity theft, they can target more people and make more money.
That's why you should be a little more vigilant when you receive emails and phone calls - the likelihood that a hacker is on the other end is higher than you might think.
Avoid Titan Stealer
One of the most important things you can do to avoid being hit by the Titan malware is to have good cybersecurity. By refreshing the cyber security in the company with awareness training, you train employees to spot phishing, but also in general to be more attentive online.
Avoid downloading files and programs that are unnecessary. You can also keep an eye on whether it comes from a legitimate source - and here you have to look twice to be sure.
Caroline Preisler
Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.
View all posts by Caroline Preisler