WeSteal: A Cryptocurrency-Stealing Tool That Does Just That | Threatpost
Some cybercriminals at least try to cover their dirty work with a threadbare cloak of “this will kill lawsuits” legitimacy. for example, phone tracking tools that install and operate silently and are supposedly intended for parents (legally) to keep an eye on their children (actually stalkerware), ransomware gangs babbling rationalizations about “helping” by detecting zero days before its victims do, or the other cover-ups used to sell antimalware circumvention tools, cryptocurrency miners, password crackers, or webcam light disablers.
but who has time to waste with that claim?
Reading: Bitcoin-stealing software
do not steal. as the name alone makes clear, westeal developers can’t be bothered with the flimflam. Whoever created the new tool to steal cryptocurrencies flatly says that it is “the main way to make money in 2021”.
“there is no… pretense on the part of complex code with western. is the name of the malware itself. then there is the website, ‘wesupply’, owned by a co-conspirator, which proudly declares ‘wesupply – you profit,’” a palo alto networking team says of the new tool they found being sold underground.
In a post on Thursday, researchers separated the cryptocurrency wallet pickpocket tool westeal and a related remote access trojan (rat) called wecontrol, saying it’s “shameless” how the developers aren’t even trying to hide the true intent of the tools.
“Westeal is a shameless piece of commercial malware with a single illicit function,” they say. “its simplicity is matched by a likely simple effectiveness in cryptocurrency theft. the low-sophisticated actors who buy and deploy this malware are thieves, no less than street pickpockets. their crimes are as real as their victims.”
west, nee wesupply, nee etc. etc. etc.
what’s new in this cryptocurrency mining offer? from which the researchers can determine, for the most part, the name. a threat actor called complexcodes started promoting westeal in the underground in mid-february, but before that, they started selling a crypto thief wesupply in may 2020. code samples suggest that westeal evolved from that tool previous.
See also: Every feature Sharesight released in 2021
The tool’s author also previously produced the zodiac crypto thief, as well as malware called spartan crypter that is used to bypass antivirus detection. Additionally, Palo Alto network analysts found evidence linking complex codes to a site that sells stolen accounts for services like Netflix, Disney+, Pornhub, Spotify, Hulu, and more.
This malware developer didn’t mince words about a distributed denial-of-service (ddos) tool they offered either: appropriately enough, it was named site killah: a tool that promised unbeatable prices, fast attacks, and incredible support.
In case there were any questions left in the room, wesupply’s forum posts also promote support for zero-day exploits and “antivirus bypass”. westeal also provides a “victim tracking dashboard” that tracks infections, “leaving no doubt about the context,” the researchers say.
With these low prices, so low, we must be crazy
for all that crap, complexcodes charges just $24 a month, $60 for three months, and $125 for a year.
However, we don’t necessarily have to worry about complex code that generates rent. In an email on Friday, dr. John Michener, Chief Scientist at Casaba Security, noted that the Palo Alto Networks report said it is surprising that criminal buyers of the malware actually trust the malware to steal for them, and not the malware authors themselves.
on the contrary, dr. Michener told threatpost: The malware is likely set up to surreptitiously line its author’s pockets. “It is quite likely that the malware will start stealing a substantial fraction of victim funds for the malware authors rather than the purchasers of the malware after a reasonable trial and error period,” she said.
Here’s how it works: Westeal uses a simple but effective way to swipe cryptocurrency receiving addresses: it pokes through clipboards, looking for strings that match bitcoin and ethereum wallet identifiers. When it finds them, Westeal swaps the legitimate wallet IDs on the clipboard with its own IDs. when a victim attempts to paste the exchanged wallet id for a transaction, the funds are transferred to the attacker’s wallet.
See also: Venmo to allow credit card holders to automatically buy cryptocurrency with their cash back – TechCrunch
Snooping around the contents of the clipboard is not new, by any means. It dates back to at least 1999 with the release of the Sub7 Trojan program, which could monitor the contents of the clipboard and change its contents “at the attacker’s will,” according to Randy Pargman, vice president of threat hunting and counterintelligence at Binary Defense. “It’s very easy for attackers to pull off this trick because it doesn’t require any special permissions for applications to read and change clipboard content; after all, that’s what the clipboard is designed for, to exchange text and graphics between programs,” he told threatpost in an email on Friday.
In December, rubygems, an open source package repository and steward of the ruby web programming language, took two software packages offline after they were found to be laced with malware that did the same trick. Before that, in September 2020, we saw kryptocibule: clipboard-detecting malware spread via pirated software and game torrents. Even “legitimate” apps do it, though not necessarily for cryptocurrency mining per se: For one, in June 2020, TikTok had to suspend after Apple’s privacy feature exposed how it was snooping around clipboards.
how westeal does its dirty job of stealing cryptocurrencies
In true crimeware-as-a-service fashion, westeal actually uses a hosted command and control (c2) service, which it ambitiously describes as a panel of rats. however, the researchers did not discover any remote access Trojan (rat) functions available: for example, they did not find any keylogging, credential exfiltration, or webcam hijacking capabilities.
However, the tool is distributed as a python-based Trojan in a script called “westeal.py”.
Shortly after the researchers’ report was published, they saw that a rat named wecontrol was also added to the list of developers. as of Thursday, they were still planning to look into that.
how to protect your cryptocurrency wallet
As the price goes up and more people jump on the bandwagon, we can expect thieves to try harder to steal it, says pargman. “Exorbitant price gains in many cryptocurrencies this year are likely to drive an increasing number of cryptocurrency theft attacks and scams. another issue that could compound this problem is the rise of amateur cryptocurrency investors, who may be more prone to malware, malicious apps, and social engineering attacks,” he said.
dr. michener recommends that those who use cryptocurrencies should also use a hardware wallet and a dedicated system that is not used for anything else. “don’t mix your banking system with your personal system,” she says — advice that is best practice for conventional online banking, as well as cryptocurrency activity.
Join threatpost to “strengthen your business against ransomware, ddos & cryptojacking attacks” – A live roundtable event on Wednesday, May 12 at 2:00 p.m. m., eastern time. Sponsored by Zoho ManageEngine, ThreatPost host Becky Bracken moderates an expert panel discussing the best defense strategies for these 2021 threats. Live audience questions and participation are encouraged. Join the lively discussion and register here for free.
See also: Quest-ce que le Bitcoin ? – La finance pour tous