Threat Research

Cyble – Titan Stealer: The Growing Use Of GoLang Among Threat Actors

Securonix

Threat actors are increasingly using Go (Golang) to develop cross‑platform information stealers, with Titan Stealer highlighted as a recent example. The article covers Titan Stealer’s Go-based builder, its C2 infrastructure and dashboards, the data it collects, how it exfiltrates stolen data, and recommended defenses.

Keypoints

  • Go (Golang) is being adopted to create cross‑platform information stealer malware that can run on Windows, Linux, and macOS.
  • Titan Stealer is a notable example spotted by CRIL with associated C2 infrastructures and dashboards.
  • The Stealer has a built‑in Builder that lets threat actors customize builds (e.g., build ID, file extensions) to target victims.
  • The TA account panel reveals account details (username, chat ID, subscription status, expiry, password reset options).
  • Titan Stealer collects extensive data from the host (system info, wallets, installed software, browsers, Steam, Telegram, FTP credentials) and exfiltrates it to C2.

MITRE Techniques

  • [T1204] User Execution – The initial infection may happen via phishing websites. “The initial infection may happen via phishing websites”
  • [T1082] System Information Discovery – The stealer extracts system information such as IP, country, city, Username, Screen size, CPU model name, threads, and GPU. “The Titan Stealer extracts system information such as IP, country, city, Username, Screen size, CPU model name, threads, and GPU.”
  • [T1518] Security Software Discovery – The stealer scans for installed software. “The stealer then proceeds to scan the system for installed software and sends a list of installed software to its C&C server.”
  • [T1083] File and Directory Discovery – It enumerates files in locations like AppDataRoaming, Desktop, and Downloads. “enumerates text and document files that are present in the locations, including AppDataRoaming, Desktop, and Downloads.”
  • [T1087] Account Discovery – The My Account section reveals TA details (username, chat ID, subscription status, expiry, password reset). “The ‘My Account’ section… provides information about the Threat Actor (TA)… This section includes the TA’s username, chat ID, subscription status, account expiry date, and options to reset the password.”
  • [T1005] Data from Local System – The stealer grabs data such as wallets, installed software, and other local artifacts. “If the stealer identifies the wallets installed in the victim’s system, it grabs the related files and sends them to the C&C server.”
  • [T1071] Application Layer Protocol – C2 data exfiltration uses application-layer protocol (ZIP/Base64 payload sent to the C2 endpoint). “Finally, the stealer compresses the stolen data into a zip file and converts the zip file into Base64 encoded string. This data is then sent to 77[.]73[.]133[.]85:5000/sendlog.”
  • [T1095] Non-Application Layer Protocol – The data exfiltration explicitly occurs over a non‑application layer channel as part of the C2 flow. “This data is then sent to 77[.]73[.]133[.]85:5000/sendlog.”

Indicators of Compromise

  • [Hash] Titan Stealer MD5/SHA1/SHA256 examples – 0f3ac2b54489cfb63beffdec269c9f0e, 2155e10488f0e1bec472c6c80ab23271c94f18e8, 0e4800e38fb6389f00d9e35f1a65669fecb3abf141a2680b9b8a5b5d255ae2cb
  • [Hash] Titan Stealer additional hashes – b07263f74d432404b68c0bb1ad2f7844, 5936d4e9771ff57ac41852eae6865418fe041e1f
  • [IP] C2 server – 77.73.133.85
  • [URL] C2 endpoint – 77.73.133.85:5000/sendlog
  • [File] Analysis binary referenced – LEMONS.exe

Read more: https://blog.cyble.com/2023/01/25/titan-stealer-the-growing-use-of-golang-among-threat-actors/