Titan malware, sold as a service, is unique in its customizable functionality, enabling users to tailor the malware according to their specific needs23. Upon execution, Titan employs a technique known as process hollowing, injecting its malicious payload into the memory of a legitimate process, thus making detection more difficult4.
Titan malware is a Golang-based information stealer. The choice of Golang for its development makes the malware cross-platform, enabling it to run on multiple operating systems like Windows, Linux, and macOS. Furthermore, the Go-compiled binary files are small, making them difficult to detect by security software1.
When executed, Titan uses a technique called process hollowing to inject its malicious payload into the memory of a legitimate process, specifically AppLaunch.exe, which is the Microsoft .NET ClickOnce Launch Utility. This technique helps the malware to evade detection by appearing as a legitimate process in the system’s memory2.
The malware is designed to steal a wide range of information from the infected systems. It can collect credential data from various web browsers and crypto wallets, including Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, Iridium Browser, Armory, Atomic, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash. It also gathers FTP client details, screenshots, system information, and grabbed files. Furthermore, it can obtain the list of installed applications on the host and capture data associated with the Telegram desktop app3.
The collected data is then compiled into a Base64-encoded archive file and transmitted to a remote server under the attacker’s control. Titan malware also includes a web panel, which allows the adversaries to access and manage the stolen data4.
Distribution of Titan Malware
Though the exact distribution strategy of Titan malware is still unclear, it’s likely that the threat actors use traditional methods like phishing, malicious ads, and cracked software5. Malware in general is often propagated via lookalike websites of popular software, with domains regularly updated to host trojanized versions of different applications. To evade detection by antivirus software, some malware use a method known as padding to artificially inflate the size of the executables by adding random data6.
Price and Availability
Titan malware is sold as a service, with a pricing model that includes different tiers based on the buyer’s needs. It is offered for $120/month for beginners, $140/month for advanced users, and $999/month for teams7. It is advertised on a Telegram channel with over 600 subscribers, signifying its popularity among cybercriminals8.
Given the threat posed by Titan malware, it’s crucial to maintain robust security measures and keep abreast of the latest developments in cybersecurity. The technical understanding of how Titan operates provides valuable insight to strengthen your defenses against this potent threat.