A new malware called Clipsa was found by researchers, which is basically a malicious crypto miner that targets WordPress sites that are not secured.
According to the Avast researchers, the malware was noticed during a huge spread campaign which targeted thousands of PCs from all over the world. While Clipsa mostly targets to steal crypto, it also replaces the crypto addresses it finds on a clipboard (which is where the malware got its name).
The malware is still spreading as it is scouring the internet to find unsecured sites through infected computers.
Regarding the multiple activities of malicious malware, the researchers stated:
“Clipsa is a multipurpose password stealer, written in Visual Basic, focusing on stealing cryptocurrencies, brute-forcing and stealing administrator credentials from unsecured WordPress websites, replacing crypto-addresses present in a clipboard, and mining cryptocurrencies on infected machines. Several versions of Clipsa also deploy an XMRig coinminer to make even more money from infected computers.”
The malware’s modus operandi involved a malicious codec pack installer for media players. The victim then downloads the malware when he downloads the player. From an infected PC, Clipsa can also attack unsecured WordPress sites.
After the codec is downloaded, the file then installs itself and executes its tasks in a succession of phases. The initiation phase does not contain specific parameters, but the next ones contain parameters that hint their functionalities.
- Initiation – No parameters; malware just installs and hides on the system, and executes the next phases.
The phases from 2 to 4 are programmed to steal ‘crypto-wallet related data’ from the computers. Then the wallet addresses found on the clipboard are replaced with those of the attackers from a predefined list.
This means that when the victim pastes his wallet address anywhere, he will actually paste the attackers’ address.
These two parameters involve searching for vulnerable WordPress websites on the internet and stealing through brute force their admin credentials.
The malware creators are also interested in analyzing the activities of the malware, as it has a file for logging purposes:
“Clipsa creates and uses an additional file: C:\Users\user\AppData\Roaming\AudioDG\log.dat This file is used for logging purposes, which the malware author can use to debug Clipsa and obtain statistics.”
Clipsa was found active in various regions throughout the world, mostly in India, Philippines, and Brazil. In over a year, more than thousands of victims were affected by the malware.
Featured image: Coinjournal