Avast, a digital security products provider has protected more than 253,000 users in the last year, from Clipsa. Clipsa is a multi-functional password stealer, written in Visual Basic, that brute-forces and steals administrator credentials from unsecured WordPress websites, steals cryptocurrencies, and mines cryptocurrencies on infected machines.
The Avast Threat Labs has been tracking Clipsa and has now published a detailed analysis of the malware.
Vulnerable WordPress Sites and Cryptocurrencies Targeted
Clipsa spreads as a malicious executable file, likely disguised as codec pack installers for media players. Once on an infected device, Clipsa can perform multiple actions, such as searching for cryptowallet addresses present in victims’ clipboards to then replace the addresses victims want to send money to with wallet addresses owned by the bad actors behind Clipsa. Furthermore, Clipsa is capable of searching for and stealing wallet.dat files, and installing a cryptocurrency miner.
Additionally, Clipsa uses infected PCs to crawl the internet for vulnerable WordPress websites. Once it finds a vulnerable site, it attempts to brute-force its way into the site, sending valid login credentials to Clipsa’s C&C server. The Avast Threat Labs believes the bad actors behind Clipsa may steal further data from the breached sites, and also suspect they use the infected sites as secondary C&C servers to host download links for miners, or to upload and store stolen data.
“Clipsa is an unusual password stealer, in that it supports a wide range of functionalities. Instead of just focusing on passwords and cryptowallets present on the victim’s computer, Clipsa also makes PCs do the cybercriminals’ dirty work, like searching for vulnerable WordPress websites on the internet and brute-forcing their credentials. The more machines that are infected, the more computational power Clipsa has,” said Jan Rubín, malware researcher at Avast.
The campaign is most prevalent in India, where Avast has blocked more than 43,000 Clipsa infection attempts, protecting more than 28,000 users in India from the malware. The Avast Threat Labs has also observed higher infection attempt rates in the Philippines, where Avast protected more than 15,000 users from Clipsa and in Brazil, protecting more than 13,000 users. In total, Avast protected more than 253,000 users more than 360,000 times, since August 2018.
Detecting Clipsa
If a device is infected with Clipsa, users may notice PC performing slower than usual, due to malicious coinminers mining cryptocurrencies in the background, as well as Clipsa crawling the internet for vulnerable WordPress sites. Furthermore, users may also notice their clipboard contents being modified whenever they attempt to copy a cryptowallet address.
Protecting against Clipsa
To further protect themselves, users should only download installers and software from well-known and trusted websites. Users should also make sure installers are digitally signed, to verify their origin and legitimacy. WordPress website administrators should always use the latest version of WordPress, as well as recommended security settings, and use unique and complex passwords to protect their accounts.