Then there is the website, “WeSupply,” owned by a co-conspirator, proudly stating “WeSupply – You profit” (Figure 4). There is no such pretense by ComplexCodes with WeSteal. ![]() They will often describe potential “legitimate” uses for their malware – only to further describe anti-malware evasion properties, silent installation and operation or features such as cryptocurrency mining, password theft or disabling webcam lights. Many authors will hide behind meaningless Terms of Service statements that end users must not use the malware for illegitimate purposes. When pursuing cases against malware authors, prosecutors typically need to demonstrate the author’s intent for the malware. The intent is once again on display with ComplexCode’s Discord-based commodity distributed denial-of-service (DDoS) offering, “Site Killah” (Figure 3). The actor’s forum signature indicates an affiliation with a site that sells accounts for services such as Netflix and Disney+ (Figure 2). This Italian malware coder previously authored a “Zodiac Crypto Stealer” and “Spartan Crypter” for obfuscating malware to avoid antivirus detection. A comparison of samples of the earlier WeSupply Crypto Stealer with WeSteal suggests that WeSteal is likely simply an evolution of the same project. However, ComplexCodes had been selling a “WeSupply Crypto Stealer” since May 2020. Origin of WeStealĪctor “ComplexCodes” started advertising WeSteal on underground forums in mid-February 2021. Palo Alto Networks customers are protected from WeSteal and WeControl with Cortex XDR, the Next-Generation Firewall with WildFire and Threat Prevention security subscriptions, and AutoFocus. We document these new revelations at the end of our report. Immediately before the publication of this report, we discovered that the actors had both added some new features to WeSteal, and had also complemented it with a new commodity remote access tool (RAT) called “WeControl”. We take a look at the actor WeSupply, with an operation and website by the same name, and at the Italian malware coder ComplexCodes, a co-conspirator and actual author of this malware. In this blog, we analyze WeSteal, detail the obfuscation and techniques it uses for persistence and operation, and examine the customers of this malware. The seller promises “ the leading way to make money in 2021” (Figure 1). The author of WeSteal, a new commodity cryptocurrency stealer, makes no attempt to disguise the intent for his malware. Often, commodity malware authors will disingenuously attempt to profess a guise of legitimacy for their malware – a strategy that often doesn’t stand up in court. It seems that for every commodity malware takedown and prosecution, another replaces it to take a turn empowering cybercriminals.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |