WeSteal, a shameless commodity cryptocurrency stealer available for sale

The bold author of a new cryptocurrency stealer, dubbed WeSteal, is promising its customers a leading way to make money in 2021.

A new cryptocurrency stealer dubbed WeSteal is available on the cybercrime underground, unlike other commodity cryptocurrency stealers, its author doesn’t masquerade its purpose and promises “the leading way to make money in 2021.”

WeSteal is a Python-based malware that uses regular expressions to search for strings related to wallet addresses that victims have copied to their clipboard.  

According to Palo Alto Networks, the author of WeSteal, that goes online as “ComplexCodes,” started advertising the cryptocurrency stealer on underground forums in mid-February 2021. Experts pointed out that ComplexCodes had been selling a “WeSupply Crypto Stealer” since May 2020., and WeSteal is likely simply an evolution of the WeSupply Crypto Stealer project.

The researchers believe that the coder is an Italian vixer that previously created the “Zodiac Crypto Stealer” and “Spartan Crypter” for obfuscating malware to avoid antivirus detection.

“When pursuing cases against malware authors, prosecutors typically need to demonstrate the author’s intent for the malware. Many authors will hide behind meaningless Terms of Service statements that end users must not use the malware for illegitimate purposes. They will often describe potential “legitimate” uses for their malware – only to further describe anti-malware evasion properties, silent installation and operation or features such as cryptocurrency mining, password theft or disabling webcam lights.” reads the post published by Palo Alto Networks.

“There is no such pretense by ComplexCodes with WeSteal. There is the name of the malware itself. Then there is the website, “WeSupply,” owned by a co-conspirator, proudly stating “WeSupply – You profit””

An advertisement for WeSteal claims that it has a zero-rate detection, it includes a “Victim tracker panel” that allows operators to track “Infections.”

The author of the malware also claims that the malicious code uses zero-day exploits, it is able to steal Bitcoin (BTC), Ethereum (ETH) coming in and out of a victim’s wallet through the clipboard.

The author of the malware also added the capability to steal Litecoin, Bitcoin Cash, and Monero cryptocurrencies.

Despite WeSteal is advertised as implementing a “RAT Panel,” experts did not find RAT feature in their analysis.

The author of WeSteal also offer C2s as a service (C2aaS), experts observed the use of two domains, one of which also hosts the website used to sell the malware.

WeSteal is distributed as a Python-based Trojan (“westeal.py”), its author used the open-source PyArmor source code obfuscator.

“The fast and simple monetization chain and anonymity of cryptocurrency theft, together with the low cost and simplicity of operation, will undoubtedly make this type of crimeware attractive and popular to less-skilled thieves. WeControl is similarly both designed and marketed as a tool for illicit activity, lacking in propriety no less than the earlier WeSteal.” concludes the report.

“The ease of detection and blocking of the C2 as a service works against the Italian malware author ComplexCodes. It’s surprising that customers trust their “victims” to the potential control of the malware author, who no doubt could in turn usurp them, stealing the victim “bots” or replacing customers’ wallets with one of ComplexCodes’ own at any time. It’s also surprising that the malware author would risk criminal prosecution for what must surely be a small amount of profit, given the apparently small customer base. Organizations with effective spam filtering, proper system administration and up-to-date Windows hosts have a much lower risk of infection.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WeSteal)

[adrotate banner=”5″]

[adrotate banner=”13″]