Hackers operating on the dark net are attempting to sell commodity malware such as spyware and ransomware to the highest bidder. Usually they fear investigations by cyber companies or law enforcement bodies, and therefore they hide the real purpose of this software. None of them wants to be directly connected to the distribution of tools for cyberattacks. But the hackers behind the WeSteal software and a website called WeSupply don't play by these rules. They brag in professional-looking advertisements that openly claim that WeSteal is the leading way to earn money in 2021.
A report by Unit 42, the research unit of cyber giant Palo Alto Networks, analyzes the activity of WeSupply and the developers of the ComplexCodes cyberattack software, and provides a glimpse into the way in which hackers advertise their products on the dark net. The developers, who apparently are from Italy, do not hide their intentions, namely to earn money from distribution of cyberattack software. The software's name "WeSteal" appears in their advertisements on the dark net or discord app groups, and they even use the marketing slogan "WeSupply- You Profit".
In one advertisement, for a product that focuses on stealing cryptocurrency called Crypto Stealer, they openly declare that the software uses zero-day vulnerabilities, namely ones that do not need active involvement by the victim, and bypasses antivirus software. They also detail how their software includes applications for tracking victims and monitoring infections, using those words, without leaving any doubt regarding the objective of their software. The business model of the attackers is a subscription service: use of the software for 20 euros a month, 50 euros for three months or 125 euros for a year.
In order to steal cryptocurrency from the victims, WeSteal uses regular expressions to search for strings matching the patterns of Bitcoin or Ethereum wallet identification codes being copied onto the clipboard. When the software locates strings that match the patterns of those wallets, it replaces the legitimate identification code with a fake code supplied by the malware. When the victim pastes the identification code in his wallet for a transaction, the money is sent to the wallet of the attacker instead of the wallet of the victim.
"WeSteal is a shameless piece of commodity malware with a single, illicit function. Its simplicity is matched by a likely simple effectiveness in the theft of cryptocurrency. The low-sophistication actors who purchase and deploy this malware are thieves, no less so than street pickpockets. Their crimes are as real as their victims," the Unit 42 researchers wrote. "The fast and simple monetization chain and anonymity of cryptocurrency theft, together with the low cost and simplicity of operation, will undoubtedly make this type of crimeware attractive and popular to less-skilled thieves."