Clipsa Malware Steals Cryptocurrency By Targeting Unsecured WordPress Sites

ZombieBoy malware

Researchers have found a new malware campaign actively going on in the wild. Identified as Clipsa, the malware is basically a cryptostealer and cryptominer that targets unsecured WordPress websites. Moreover, it also replaces crypto addresses from a clipboard – hence, earning the name ‘Clipsa’. The malware continues to spread by further scanning the internet for vulnerable sites via infected computers.

Clipsa Malware Targeting WordPress Sites

Researchers from Avast have spotted a huge malware campaign targeting thousands of PCs around the world. The Clipsa malware involved in this campaign primarily targets cryptocurrencies.

Stating about the malicious activities executed by this malware, the researchers stated,

Clipsa is a multipurpose password stealer, written in Visual Basic, focusing on stealing cryptocurrencies, brute-forcing and stealing administrator credentials from unsecured WordPress websites, replacing crypto-addresses present in a clipboard, and mining cryptocurrencies on infected machines. Several versions of Clipsa also deploy an XMRig coinminer to make even more money from infected computers.

The malware reaches a victim’s device by masking itself as malicious codec pack installers for media players. The victim unknowingly downloads the malware together with the player. Whereas, it can also target vulnerable WordPress websites from an infected PC as well.

Attack Analysis

After download, the multiparameter malware file installs and executes its activities in various phases. Where the initiation phase has no specific parameters, the following phases have specific parameters hinting specific functionalities. These include.,

1. Initiation – No parameters.

In this phase, the malware installs and hides on the system, and executes subsequent phases.

2. CLIPS

3. CLIPPS

4. WALLS

The above phases (2-4) aim at stealing ‘crypto-wallet related data’ of the users. The activities executed in these phases include replacing wallet addresses on the clipboard with those of the attackers from a predefined list. Consequently, when the victim pastes his wallet address anywhere, he unknowingly pastes the attackers’ address.

5. PARSE

6. BRUTE

The above two phases involve the crawling for vulnerable WordPress websites on the internet and brute-forcing to steal their admin credentials.

Logging

The attackers behind Clipsa malware also seem keen to analyze the activities of the malware, as it also involves logging. As stated by the researchers,

Clipsa creates and uses an additional file:
C:\Users\user\AppData\Roaming\AudioDG\log.dat
This file is used for logging purposes, which the malware author can use to debug Clipsa and obtain statistics.

The researchers have presented a detailed technical analysis of the malware in their blog post.

Malware Campaign Already Active In The Wild

Clipsa caught the attention of the researchers owing to its active attack campaigns around the world. Specifically, the malware was predominant in India, followed by the Philippines and Brazil.

In a time span of one year, they have caught thousands of victim devices attacked by this malware.

In total, Avast protected more than 253,000 users more than 360,000 times, since August 1, 2018.

To stay protected from the malware, users must ensure keeping their systems loaded with robust anti malware programs.

Earlier this year, we reported a similar malware CookieMiner that predominantly targeted Mac users.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients