A commodity cryptocurrency stealer, WeSteal, is available online without any intent of disguise by its authors. Moreover, the authors of this stealer had added new features, along with assisting the promotion of another commodity malware named WeControl RAT.
What has happened?
A threat actor, ComplexCodes, was observed selling the new variant named WeSteal on underground forums in mid-February.
- Experts say the new variant is probably an evolved version of its previous offering WeSupply Crypto Stealer, which the same seller has been selling since May 2020.
- In addition, some posts were published on forums describing support for zero-day exploits and antivirus bypassing.
- The threat actor is reportedly selling WeSteal with the subscription model of charging roughly $24 for one month use, $60 for three months, or $150 for a year.
- Further, instead of leaving customers to control their own C2, the stealer operates with a hosted C2-as-a-service (C2aaS).
Why should you care?
Recently, the authors added three cryptocurrencies to the list of targeted cryptocurrencies: Litecoin, Bitcoin Cash, and Monero. Previously the stealer had enabled it only for Bitcoin and Ethereum.
- During the initial phase, analysts found similar malware samples behaving like WeSteal because it was being advertised featuring a RAT Panel. However, not a single RAT feature was advertised or observed, noted experts.
- Further research revealed that the authors were only advertising improvements to WeSteal while also attempting to sell WeControl RAT, a relatively new piece of malware.
The fast and simple monetization process, along with the anonymity of cryptocurrency theft and the low cost of such operations, will certainly make this crimeware model attractive and popular among less-skilled groups. Thus, organizations are recommended to stay secure by keeping the OS and other applications up-to-date.