Security researchers with Palo Alto Networks recently published a report on a new cryptocurrency stealer malware that is being sold on the dark web.
The tool is called WeSteal and researchers believe it may be an evolution of the older WeSupply crypto theft tool. Palo Alto are calling the way WeSteal is being marketed "shameless", as the author is making no attempt to hide the purpose of the malware or present it in a light that may help his defense if things go to court.
It's a common tactic for a lot of malware developers to peddle their illegal goods on the dark web, innocently and falsely presenting them as study or research tools on purpose, to be able to have some sort of defense if they get taken to court over criminal charges. That is not the case with WeSteal, though, which is marketed as the best way to "make money in 2021", according to its banner ads published by the malware's developers.
WeSteal Builds Onto Existing Cryptostealer
WeSupply, which appears to be the previous version of WeSteal, has been sold on dark web forums and marketplaces for a year now. WeSteal showed up only in February of 2021 and has been around for just a few short months.
WeSteal is also marketed as having integrated remote access Trojan capabilities, but Palo Alto doesn't believe this to be the case. The research team thinks WeSteal relies on a much simpler command and control infrastructure, without the more advanced capabilities of a fully-featured remote access Trojan, such as keystroke logging and webcam takeover or capturing and stealing login credentials.
Simple but Effective Transaction Hijacking
The way WeSteal works is not too different from other crypto theft tools. The malware monitors the user's clipboard and every time it finds a cryptowallet string in there, it replaces it with the wallet string of the bad actors, effectively funneling all transactions from the victim's system to the hackers.
The malware started out with the capability to hijack and steal Bitcoin and Ethereum and was later updated to also steal additional cryptocurrencies, including Monero, Bitcoin Cash and Litecoin.
WeSteal is developed using Python and claims to offer its users antivirus bypassing and zero-day exploit capabilities. How much of that is true is an open question, at least according to the researchers.
Shortly after Palo Alto published their report on WeSteal, a new dedicated remote access Trojan tool was put up for grabs by the same malware developers who made the crypto stealer.