July 2, 2022
  • July 2, 2022

WeSteal: ‘shameless’ cryptocurrency thief sold in metro

By on April 30, 2021 0

While some malware authors will try to create an air of legitimacy around their products to cover themselves with possible criminal cases in the future, a developer of a cryptocurrency thief doesn’t even try.

According to Palo Alto Networks, malware authors peddling their creations in underground forums will often claim their products are for educational or research purposes only – a limp attempt to create a legal defense, just in case.

However, a developer is doing the rounds with a new core cryptocurrency thief. Has been described as “shameless” by the team.

Indeed, the malware – named WeSteal – is marketed as “the main way to make money in 2021”.


Palo Alto Networks

The cryptocurrency theft malware, WeSupply Crypto Stealer, has been sold online since May 2020 by a developer as WeSupply, and another player, ComplexCodes, started selling WeSteal in mid-February of this year.

An investigation of the sellers, considered to be co-conspirators, also revealed potential links to the sale of account access for streaming services such as Netflix, Disney +, Doordash and Hulu.

The team believes WeSteal is an evolution of the WeSupply Crypto Stealer project. Marketing includes “WeSupply – You Profit” and claims WeSteal is “the world’s most advanced cryptocurrency thief”.

An advertisement for malware includes features such as a victim tracking panel, automatic startup, antivirus software bypass, and the claim that the malware is exploiting zero-day exploits.

“It steals all Bitcoin (BTC) and Ethereum (ETH) coming in and out of a victim’s wallet via the clipboard, it also has many features such as the GUI / panel that looks like a RAT [Remote Access Trojan]“, We read in the ad.


Palo Alto Networks

Litecoin, Bitcoin Cash, and Monero have also been added to the list of cryptocurrencies.

Researcher analysis of the Python-based malware revealed that the malware searches for strings related to wallet credentials copied to a victim’s clipboard. When these are found, the wallet addresses are replaced with wallets controlled by the attacker, meaning that any cryptocurrency transfer ends up in the operator’s pocket.

Although the malware is also described as having RAT capabilities, the researchers are not convinced, believing that WeSteal has something closer to a simple command and control (C2) communication structure rather than containing features commonly associated with Trojans – such as keylogging, credential exfiltration, and webcam hijacking.

The developers at WeSteal offer C2 as a service and appear to run some form of customer “ service ” as well – however, the current user base appears small.

“WeSteal is shameless core malware with a single malicious function,” the researchers say. “Its simplicity goes hand in hand with a presumably simple efficiency in cryptocurrency theft. It is surprising that customers entrust their ‘victims’ with the potential control of the malware author, who in turn could arguably, in turn, spoof them, steal the victim “bots” or replace clients’ wallets [..] it is also surprising that the malware author would risk criminal prosecution for what must surely be a small profit. ”

A Remote Access (RAT) Trojan horse, WeControl, was also added to the developer list after the report was released and awaits further analysis.

Prior and related coverage

Do you have any advice? Get in touch securely via WhatsApp | Signal to +447713025499, or more to Keybase: charlie0