VERY IMPORTANT

In this blog, Unit 42 analyzes WeSteal, details the obfuscation and techniques it uses for persistence and operation, and examines the customers of this malware. Unit 42 takes a look at the actor WeSupply, with an operation and website by the same name, and at the Italian malware coder ComplexCodes, a co-conspirator and actual author of this malware. Immediately before the publication of this report, Unit 42 discovered that the actors had both added some new features to WeSteal, and had also complemented it with a new commodity remote access tool (RAT) called “WeControl”. Unit 42 documents these new revelations at the end of the report.