Home
News
- Openly declared cryptocurrency stealing tool, WeSteal, sees no need for any legitimate guise to cover its illegitimate operations.
- ComplexCodes is associated with and avails various unlawful features and services at just $125 a year.
- At the basic level, WeSteal uses clipboard content manipulation tricks to sneak funds directly to the attacker’s ID without alerting the victim.
The illegitimate end of the cyber-verse has always played it safe, i.e., cybercriminals have long since operated their dirty dealings under some legitimate guise to “throw off the lawsuits.” But not this one!
Developer of the said “leading way to make money in 2021,” WeSteal, doesn’t fuss about any such cover. Openly described as the new cryptocurrency-stealing tool in the market, even the name itself tells that it does just that.
The Shameless Thieves
The Palo Alto Networks team better explains that “there is no … pretense by ComplexCodes with WeSteal.” Apart from the tool’s not-so-subtle name, “a co-conspirator” owns a website, ‘WeSupply’ that proudly states ‘WeSupply – You profit’. Published Thursday, the team picked apart the crypto-stealing tool along with a related remote-access trojan (RAT) called WeControl. They render it “shameless” how the developer doesn’t even try to hide its true intent.
The researchers state those “who purchase and deploy this malware are thieves,” not unlike “street pickpockets,” partaking in serious crimes.
Their ‘Achievements’ Till Date
The tool itself isn’t much different from others. Proclaimed curator ComplexCodes began advertising WeSteal on the underground in mid-February. The tool has evolved from the previous WeSupply Crypto Stealer that started selling in May 2020.
WeSupply also promotes zero-day exploits and “Antivirus Bypassing,” and WeSteal provides a “Victim tracker panel” to track Infections.
WeSteal isn’t the malware developer’s first to have such a vivid description. Previously, the tool’s author had devised the Zodiac Crypto Stealer and malware called Spartan Crypter to misdirect antivirus detection. Also, a distributed denial-of-service (DDoS) tool dubbed Site Killah, promising Unbeatable Prices, Fast Attacks, and Amazing Support. ComplexCodes is also linked to a site selling stolen accounts, including popular OTT platforms like Netflix, Disney+, Spotify, Hulu, etc.
The Deluded Malware Purchasers
And ComplexCodes serves this vast platter of badness at just $24 a month, $60 for three months, and $125 a year.
However, Threatpost, when discussing the same, disclosed, “we don’t necessarily have to worry about ComplexCodes making rent.” As mentioned in the Palo Alto Networks report, the criminal malware purchasers “actually trust the malware to steal for them, and not for the authors of the malware itself.” The chief scientist at Casaba Security, Dr. John Michener, agreed that “after a reasonable trial and testing period,” the malware is most likely to start stealing from the “victim funds” for its author rather than the purchasers.
How does It work?
WeSteal browses the clipboards’ contents for strings matching crypto-wallet identifiers. Then it swaps the legal wallet IDs with its own. Now when the ID is pasted for a transaction, the receiving ID is of the attacker.
Randy Pargman, VP Threat Hunting and Counterintelligence at Binary Defense shared messing with the clipboard “isn’t new.” It dates back to 1999, with the Sub7 trojan program that read and changed the clipboard’s contents “at the attacker’s whim.” Since it doesn’t require any special permission, it’s “easy for attackers to pull off this trick.”
In December 2020, RubyGems, a package manager for the Ruby programming language, took down two software packages with malware enacting the same trick. September 2020 had KryptoCibule, a malware-altering clipboard content that spread via pirated software and game torrents. Evidently, like June 2020 identified TikTok, some legal apps also execute such tricks, not necessarily for crypto mining.
In technical terms, offering crimeware-as-a-service, WeSteal hosts a command-and-control (C2) service called RAT panel. However, researchers did not find any remote access trojan (RAT) features, like keylogging, credential exfiltration, or webcam hijacking. This tool is a Python-based trojan, with a script titled ‘westeal.py’.
Better Opportunities Lure Greater Offenders
Well, with the bullish rise of crypto, the increase in the number and effort of cyber-offenders to steal it is a given. The bigger the prize, the greedier the thieves. Additionally, the crypto-popularity also attracts volumes of newbies, and these amateur crypto investors are more vulnerable to such “malware, malicious apps and social engineering attacks,” said Pargman.
Crypto Dedicated System Lowers Crime-Risks
To guard one’s crypto wallet, Dr. Michener advises using a hardware wallet and a dedicated system dedicated exclusively to cryptocurrency. Ending it with, “do not mix your banking and personal system,” which applies to both crypto-trade and conventional online banking.
Steve Anderson is an Australian crypto enthusiast. He is a specialist in management and trading for over 5 years. Steve has worked as a crypto trader, he loves learning about decentralisation, understanding the true potential of the blockchain.
