WeSteal Cryptocurrency-Stealing

A new cryptocurrency stealer called WeSteal is available on the cybercrime underground! its promises advertising as “the leading way to make money in 2021.

What is WeSteal?

WeSteal is a Python-based malware that uses regular expressions to search for strings related to wallet addresses that victims have copied to their clipboard.  

Complex codes had advertised the cryptocurrency stealer on underground forums in mid-February 2021. Experts pointed out that ComplexCodes had been selling a “WeSupply Crypto Stealer” since May 2020., and WeSteal is likely simply an evolution of the WeSupply Crypto Stealer project.

Comments shared by Researchers:

The researchers picked apart the WeSteal cryptocurrency wallet-pickpocketing tool and a related remote-access trojan (RAT) called WeControl, saying that it’s  “shameless” the way the developers aren’t even trying to hide the tools’ true intent. 

How does WeSteal work?

Palo Alto Network analysts found evidence linking ComplexCodes to a site that sells stolen accounts for services such as Netflix, Disney+, Pornhub, Spotify, Hulu, and more.

WeSteal Cryptocurrency Malware

The intent is once again on display with ComplexCode’s Discord-based commodity distributed denial-of-service (DDoS) offering, “Site Killah”.

WeSteal Cryptocurrency Malware
DDoS service advertisement

There is a website, “WeSupply,” owned by a co-conspirator, proudly stating “WeSupply – You profit”.

WeSupply advertisement

WeSteal Features:

WeSupply’s posts on forums also describe support for zero-day exploits and “Antivirus Bypassing”

WeSteal features

WeSteal includes a “Victim tracker panel” that tracks “Infections” – leaving no doubt about the context.

WeSteal Cryptocurrency Malware
WeSteal antivirus scanning results

ComplexCodes looks to see their profits from the sale of WeSteal by charging €20 for a month, €50 for three months and €125 for one year.

Working Principle:

WeSteal uses a simple but effective way to swipe cryptocurrency-receiving addresses: It rummages through clipboards, searching for strings matching Bitcoin and Ethereum wallet identifiers.  When it finds them, WeSteal swaps out the legitimate wallet IDs in the clipboard with its own IDs.  When a victim tries to paste the swapped wallet ID for a transaction, the funds get whisked off to the attacker’s wallet.

In true crimeware-as-a-service fashion, WeSteal is actually using a hosted command-and-control (C2) service, which it ambitiously describes as a RAT Panel. The researchers didn’t uncover any remote access trojan (RAT) features available, though: for example, they didn’t find keylogging, credential exfiltration, or webcam hijacking capabilities.  

The tool is, however, distributed as a Python-based trojan in a script named “westeal.py”. 

Soon after the researchers’ report was published, they saw that  a RAT called WeControl was also added to the developer’s roster. As of Thursday, they were still planning to analyze that one. 

Conclusion:

With this growing problematic scenario, take all necessary steps to guard your cryptocurrency wallet.