While some malware writers try to give their products a false air of legitimacy to protect themselves, the developer of this cryptocurrency theft software doesn’t even try.
According to Palo Alto Networks, malware authors who sell their creations on forums often claim their products are for educational or research purposes only, a futile attempt to create a legal defense. However, for this developer who is advertising a new cryptocurrency thief, Palo Alto researchers have used the adjective “shameless”.
Indeed, the malware – named WeSteal – is touted as the “main way to make money in 2021”.
Palo Alto Networks.
“He steals all bitcoin (BTC) and Ethereum (ETH)”
The WeSupply Crypto Stealer malware has been sold online since May 2020 by a developer by the name of WeSupply, and another player, ComplexCodes, started selling WeSteal in mid-February of this year. A seller survey also revealed potential links to selling access to accounts for streaming services, including Netflix, Disney +, Doordash, and Hulu.
The team believes WeSteal is an evolution of the WeSupply Crypto Stealer project. The creators claim that WeSteal is the “world’s most advanced cryptocurrency thief.”
An advertisement for this malware has its features, such as a victim tracking panel, automatic startup, antivirus software bypass, and the claim that the malware exploits zero-day vulnerabilities. “It steals all bitcoin (BTC) and Ethereum (ETH) that comes in and out of a victim’s wallet through the clipboard, it also has many features like a GUI / panel which similar to those of a RAT (Remote Access Trojan) ”, one can read in the advertisement.
Palo Alto Networks.
Litecoin, Bitcoin Cash and Monero have also been added to the list of cryptocurrencies targeted by this malware.
The malware author could in turn easily spoof his clients
Researcher analysis of the Python-based malware reveals that the malware searches for strings related to wallet IDs copied to a victim’s clipboard. When found, wallet addresses are replaced with attacker-controlled wallets, meaning that any cryptocurrency transfer ends up in the operator’s pocket.
Although the malware’s creators claim that it also has RAT capabilities, researchers are not convinced. They believe that WeSteal has more of a simple command and control (C2) communication structure rather than containing features typically associated with Trojans – like keystroke logging, credential exfiltration and webcam hijacking. The developers of WeSteal offer control servers as a service and also seem to run some form of customer “service”; however, the current user base appears to be small.
“WeSteal is basic malware that has only one malicious function,” the researchers explain. “Its simplicity goes hand in hand with its efficiency for cryptocurrency theft. It is surprising that clients entrust their “victims” to the potential control of the malware author, who in turn could presumably spoof them, stealing the “bots” from victims or replacing client wallets. It is also surprising that the malware author takes the risk of legal action for what must surely be a small profit. A remote access (RAT) Trojan horse, WeControl, was also added to the developers’ offering after the report was released, and awaits further analysis.