New Crypto Malware Targets Unprotected WordPress Sites - Coindoo
Clipsa malware

New Crypto Malware Targets Unprotected WordPress Sites

Editorial Team Avatar
Aug 12, 2019
3 min reading time

A new malware called Clipsa was found by researchers, which is basically a malicious crypto miner that targets WordPress sites that are not secured.

According to the Avast researchers, the malware was noticed during a huge spread campaign which targeted thousands of PCs from all over the world. While Clipsa mostly targets to steal crypto, it also replaces the crypto addresses it finds on a clipboard (which is where the malware got its name).

The malware is still spreading as it is scouring the internet to find unsecured sites through infected computers.

Regarding the multiple activities of malicious malware, the researchers stated:

“Clipsa is a multipurpose password stealer, written in Visual Basic, focusing on stealing cryptocurrencies, brute-forcing and stealing administrator credentials from unsecured WordPress websites, replacing crypto-addresses present in a clipboard, and mining cryptocurrencies on infected machines. Several versions of Clipsa also deploy an XMRig coinminer to make even more money from infected computers.”

The malware’s modus operandi involved a malicious codec pack installer for media players. The victim then downloads the malware when he downloads the player. From an infected PC, Clipsa can also attack unsecured WordPress sites.

After the codec is downloaded, the file then installs itself and executes its tasks in a succession of phases. The initiation phase does not contain specific parameters, but the next ones contain parameters that hint their functionalities.

  1. Initiation – No parameters; malware just installs and hides on the system, and executes the next phases.
  2. CLIPS
  4. WALLS

The phases from 2 to 4 are programmed to steal ‘crypto-wallet related data’ from the computers. Then the wallet addresses found on the clipboard are replaced with those of the attackers from a predefined list.

This means that when the victim pastes his wallet address anywhere, he will actually paste the attackers’ address.

  1. PARSE
  2. BRUTE

These two parameters involve searching for vulnerable WordPress websites on the internet and stealing through brute force their admin credentials.

The malware creators are also interested in analyzing the activities of the malware, as it has a file for logging purposes:

“Clipsa creates and uses an additional file: C:\Users\user\AppData\Roaming\AudioDG\log.dat This file is used for logging purposes, which the malware author can use to debug Clipsa and obtain statistics.”

Clipsa was found active in various regions throughout the world, mostly in India, Philippines, and Brazil. In over a year, more than thousands of victims were affected by the malware.

Featured image: Coinjournal

* The information in this article and the links provided are for general information purposes only and should not constitute any financial or investment advice. We advise you to do your own research or consult a professional before making financial decisions. Please acknowledge that we are not responsible for any loss caused by any information present on this website.
Press Releases