WeSteal: A Cryptocurrency-Stealing Tool That Does Just That

The developer of the WeSteal cryptocurrency stealer can’t be bothered with fancy talk: they say flat-out that it’s “the leading way to make money in 2021”.

Some cybercriminals try, at least, to cover their dirty work with a threadbare “this will throw off the lawsuits” blanket of legitimacy. For example, phone-tracking tools that silently install and operate and which are supposedly meant for parents to (legally) watch out for their kids (in actuality, stalkerware), ransomware gangs that blab rationalizations about “helping” by spotting zero days before their victims do, or the other coverups used to hawk anti-malware evasion tools, cryptocurrency miners, password crackers or webcam-light disablers

But who has time to waste on such pretense?

Not WeSteal. As the name alone makes clear, the developers of WeSteal can’t be bothered with the flimflam. Whoever authored the new cryptocurrency-stealing tool says flat-out that it’s “the leading way to make money in 2021”. 

zoho webinar promo

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.

“There is no … pretense by ComplexCodes with WeSteal. There is the name of the malware itself. Then there is the website, ‘WeSupply,’ owned by a co-conspirator, proudly stating ‘WeSupply – You profit'”,  a Palo Alto Networks team says about the new tool they found being peddled on the underground. 

In a post on Thursday, the researchers picked apart the WeSteal cryptocurrency wallet-pickpocketing tool and a related remote-access trojan (RAT) called WeControl, saying that it’s  “shameless” the way the developers aren’t even trying to hide the tools’ true intent. 

“WeSteal is a shameless piece of commodity malware with a single, illicit function,” they say. “Its simplicity is matched by a likely simple effectiveness in the theft of cryptocurrency. The low-sophistication actors who purchase and deploy this malware are thieves, no less so than street pickpockets. Their crimes are as real as their victims.”

WeSteal, Nee WeSupply, Nee Etc. Etc. Etc. 

What’s new about this cryptocurrency ripper-offer? From what researchers can determine, mostly, the name. A threat actor named ComplexCodes began advertising WeSteal on the underground in mid-February, but before that, they started selling a WeSupply Crypto Stealer in May 2020. Code samples point to WeSteal having evolved from that earlier tool. 

The tool’s author also previously churned out the Zodiac Crypto Stealer, as well as malware called Spartan Crypter that’s used to throw antivirus detection off the trail. Also, the Palo Alto Network analysts found evidence linking ComplexCodes to a site that sells stolen accounts for services such as Netflix, Disney+, Pornhub, Spotify, Hulu and more. 

Neither did this malware developer mince words about a distributed denial-of-service (DDoS) tool they offered: fittingly enough, it was dubbed Site Killah: a tool that carried promises of having Unbeatable Prices, Fast Attacks and Amazing Support. 

In case there were any doubters left in the room, WeSupply’s forum posts also promote support for zero-day exploits and “Antivirus Bypassing”. WeSteal also provides a “Victim tracker panel” that tracks Infections, “Leaving no doubt about the context,” the researchers say. 

With These Low, Low Prices, We Must Be Crazy

For all that badness, ComplexCodes charges a mere $24 per month, $60 for three months and $125 for one year. 

We don’t necessarily have to worry about ComplexCodes making rent, though. In an email on Friday,  Dr. John Michener, chief scientist of Casaba Security, noted that the Palo Alto Networks report said that it’s surprising that the criminal purchasers of the malware actually trust the malware to steal for them, and not for the authors of the malware itself. 

On the contrary, Dr. Michener told Threatpost:  The malware is probably set up to surreptitiously line its author’s pockets. “It’s quite likely that the malware starts stealing a substantial fraction of the victim funds for the malware authors rather than for the malware purchasers after a reasonable trial and testing period,” he said. 

Here’s how it works: WeSteal uses a simple but effective way to swipe cryptocurrency-receiving addresses: It rummages through clipboards, searching for strings matching Bitcoin and Ethereum wallet identifiers.  When it finds them, WeSteal swaps out the legitimate wallet IDs in the clipboard with its own IDs.  When a victim tries to paste the swapped wallet ID for a transaction, the funds get whisked off to the attacker’s wallet.

Snooping on clipboard content isn’t new, by any means. It goes back at least as far as 1999 with the release of the Sub7 trojan program, which could monitor the contents of the clipboard and change its contents “at the attacker’s whim,” according to Randy Pargman, VP of Threat Hunting and Counterintelligence at Binary Defense. “It’s so easy for attackers to pull off this trick because it does not require any special permissions for apps to read and change the contents of the clipboard – after all, that’s what the clipboard is meant for, to exchange text and graphics between programs,” he told Threatpost in an email on Friday.

In December, RubyGems, an open-source package repository and manager for the Ruby web programming language, took two software packages offline after they were found to be laced with malware that pulled the same trick. Before that, in September 2020, we saw KryptoCibule: clipboard-sniffing malware that spreads via pirated software and game torrents. Even “legitimate” apps do it, albeit not necessarily for cryptocurrency mining per se: For one, in June 2020, TikTok had to lay off after Apple’s privacy feature exposed how it was snooping on clipboards

How WeSteal Does Its Dirty Cryptocurrency-Thieving Work

In true crimeware-as-a-service fashion, WeSteal is actually using a hosted command-and-control (C2) service, which it ambitiously describes as a RAT Panel. The researchers didn’t uncover any remote access trojan (RAT) features available, though: for example, they didn’t find keylogging, credential exfiltration, or webcam hijacking capabilities.  

The tool is, however, distributed as a Python-based trojan in a script named “westeal.py”. 

Soon after the researchers’ report was published, they saw that  a RAT called WeControl was also added to the developer’s roster. As of Thursday, they were still planning to analyze that one. 

How to Guard Your Cryptocurrency Wallet

As the price goes up and more people jump on the bandwagon, we can expect the thieves to work that much harder to steal it, Pargman notes. “The exorbitant price gains across many cryptocurrencies this year are likely to fuel an ever expanding number of crypto-stealing attacks and scams. Another issue that could add to this problem is the increase in amateur crypto investors, who may be more prone to malware, malicious apps and social engineering attacks,” he said. 

Dr. Michener recommends that those who use cryptocurrency should also be using a hardware wallet and a dedicated system that’s  used for nothing else. “Do not mix your banking system with your personal system,” he says: Advice that’s best practice for conventional online banking as well as cryptocurrency activity.  

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.

Suggested articles