Research by: Karthickkumar Kathiresan and Shilpesh Trivedi
The Uptycs threat research team recently discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes. The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.
The TA has posted a screenshot of the builder tool for the malware, which includes options for targeting/stealing specific types of information, such as browser data, crypto wallet information, FTP client details, and Telegram plugins. The builder also includes options for collecting specific file types from the victim's machine.
Figure 1 - Titan stealer builder
The figure illustrates the malicious operation followed by the Titan Stealer malware.
Figure 2 - Titan Stealer workflow
Figure 3 - Initial Titan Stealer binary
The analyzed binary is a 32-bit executable compiled with GCC. Figure 3 above shows information about the different sections in the binary. The second section named ".data," has a larger raw size compared to the other sections and contains encrypted data for the Titan Stealer.
When the binary is executed, it decrypts the XOR-encoded payload in the same memory region, which is a Golang-compiled binary. The binary (stage 1) then uses a process-hollowing technique to inject itself into a legitimate target process called "AppLaunch.exe."
Figure 4 - Decryption loop and the dumped payload binary
The screenshot below shows the process chain of Titan Stealer.
Figure 5 - Process chain
The stage 2 binary is a 32-bit executable that starts running from the memory region of the "AppLaunch.exe" process after it has been successfully injected. The build ID of the Golang-compiled binary is also provided.
Figure 6 - Go build ID
The malware attempts to read all the files in the "User Data" folder of various browsers using the CreateFile API, in order to steal information such as credentials, autofill states, browser metrics, crashpad data, crowd deny data, cache data, code cache data, extension state data, GPU cache data, local storage data, platform notifications data, session storage data, site characteristics database data, storage data, and sync data.
The FindFirstFileW API is a function in the Windows operating system that allows a program to search for a file in a directory or subdirectory. It can be used to enumerate all the files in a directory, including hidden files. Malware can use the FindFirstFileW API to search for specific files or directories on the system, such as the directories where browsers are installed.
Figure 7 - Enumerated folder shown in the Uptycs UI
The malware targets specific browser directories on a system to identify and potentially attack the installed browsers.
%USERPROFILE%\AppData\Local\Google\Chrome\ |
%USERPROFILE%\AppData\Local\Chromium\ |
%USERPROFILE%\AppData\Local\Yandex\YandexBrowser\ |
%USERPROFILE%\AppData\Roaming\Opera Software\Opera Stable\ |
%USERPROFILE%\AppData\Local\BraveSoftware |
%USERPROFILE%\AppData\Local\Vivaldi\ |
%USERPROFILE%\AppData\Local\Microsoft\Edge\ |
%USERPROFILE%\AppData\Local\7Star\7Star\ |
%USERPROFILE%\AppData\Local\Iridium\ |
%USERPROFILE%\AppData\Local\CentBrowser\ |
%USERPROFILE%\AppData\Local\Kometa\ |
%USERPROFILE%\AppData\Local\Elements Browser\ |
%USERPROFILE%\AppData\Local\Epic Privacy Browser\ |
%USERPROFILE%\AppData\Local\uCozMedia\Uran\ |
%USERPROFILE%\AppData\Local\Coowon\Coowon\ |
%USERPROFILE%\AppData\Local\liebao\ |
%USERPROFILE%\AppData\Local\QIP Surf\ |
%USERPROFILE%\AppData\Local\Orbitum\ |
%USERPROFILE%\AppData\Local\Amigo\User\ |
%USERPROFILE%\AppData\Local\Torch\ |
%USERPROFILE%\AppData\Local\Comodo\ |
%USERPROFILE%\AppData\Local\360Browser\Browser\ |
%USERPROFILE%\AppData\Local\Maxthon3\ |
%USERPROFILE%\AppData\Local\Nichrome\ |
%USERPROFILE%\AppData\Local\CocCoc\Browser\ |
%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\ |
Titan Stealer targets the following cryptocurrency wallets and collects information from them, sending it to the attacker's server.
Edge Wallet |
Coinomi |
Ethereum |
Zcash |
Armory |
bytecoin |
The malware collects various types of logs from the infected machine, including browser information such as credentials, cookies, and history, as well as data from crypto wallets and FTP clients. Titan Stealer transmits information to a command and control server using base64 encoded archive file formats as shown in Figure 8 below.
Figure 8 - Sending data to C2
Threat actor is advertising and selling Titan Stealer through a Russian-based Telegram channel (https[:]//t.me/titan_stealer). The author shares updates and bug fixes frequently as shown in Figure 9. This may be a sign that they are actively maintaining and distributing the malware.
Figure 9 - Telegram channel
The threat actor has access to a separate panel that allows them to view the login activities and other data of a victim. This type of activity is often associated with cybercrime and can have serious consequences for both the victim and the attacker.
Figure 10 - Login panel of Titan Stealer
Figure 11 - Titan Stealer Dashboard
A Shodan query could be used to identify and track the activity of the Titan Stealer as shown in Figure 12.
Shodan Query: http.html:"Titan Stealer"
Figure 12 - Shodan query
To defend against malware attacks like the Titan Stealer, it is recommended to:
Enterprises should also implement tight security controls and multi-layered visibility and security solutions to identify and detect such malware. For example, Uptycs’ EDR (Endpoint Detection and Response) correlation engine is able to detect the Titan Stealer's activity by using behavioral rules and YARA process scanning capabilities.
Uptycs EDR customers can easily scan for Titan Stealer since Uptycs EDR is armed with YARA process scanning and advanced detections. Additionally, Uptycs EDR contextual detection provides important details about the identified malware. Users can navigate to the toolkit data section in the detection alert and click on the name to find out the behavior as shown below (Figure 13 & 14).
Figure 13 - Process tree for the malware in an Uptycs EDR detection
Figure 14 - Uptycs EDR detection UI showing Titan Stealer YARA rule match
Tactic |
Technique ID |
Technique Name |
Defense Evasion |
T1055.012 |
Process Hollowing |
Discovery |
T1083 |
File and Directory Discovery |
Discovery |
T1082 |
System Information Discovery |
Exfiltration |
T1041 |
Exfiltration Over C2 Channel |
File name |
Md5 hash |
Stage 1 |
e7f46144892fe5bdef99bdf819d1b9a6 |
Stage 2 |
b10337ef60818440d1f4068625adfaa2 |
Md5 hashes |
File Type |
82040e02a2c16b12957659e1356a5e19 |
Executable |
1af2037acbabfe804a522a5c4dd5a4ce |
Executable |
01e2a830989de3a870e4a2dac876487a |
Executable |
a98e68c19c2bafe9e77d1c00f9aa7e2c |
Executable |
7f46e8449ca0e20bfd2b288ee6f4e0d1 |
Executable |
78601b24a38dd39749db81a3dcba52bd |
Executable |
b0604627aa5e471352c0c32865177f7a |
Executable |
1dbe3fd4743f62425378b840315da3b7 |
Executable |
5e79869f7f8ba836896082645e7ea797 |
Executable |
2815dee54a6b81eb32c95d42afae25d2 |
Executable |
82040e02a2c16b12957659e1356a5e19 |
Executable |
http[:]//77.73.133.88[:]5000 |
http[:]//77.73.133.88[:]5000/sendlog |