Avast specialists discovered Clipsa, the strange malware, which not only steals cryptocurrency, substitutes wallet addresses in the users’ buffers and installs miners on infected machines, but also launches brute-force attacks against WordPress sites on compromised hosts.The main source of infections are codec packs for media players that users download on the Internet themselves.
According to researchers, Clipsa has been active for at least a year, and most of all the experts were surprised by the functionality against WordPress sites. The fact is that Windows malware rarely shows such behavior, as often such attacks are carried out by botnets from infected servers or IoT devices.
“Clipsa most likely uses infected WordPress sites as secondary management servers, which are then used to download and store stolen data, as well as to provide links to download miners”, – experts write.
However, despite attacks on WordPress sites, Clipsa is still concentrating on cryptocurrency. Therefore, after infection, the malware scans the victim’s computer for wallet.dat files related to cryptocurrency wallets. If the files are found, the malware steals them and transfers them to a remote server. Clipsa also looks for TXT files containing strings in BIP-39 format. If any are found, the text is saved in another file and transferred to the criminals’ server, so later it can be used to crack the stolen wallet.dat files.
In addition, malware installs control over the clipboard of the infected OS and monitors when the user copies or cuts out text similar to Bitcoin or Ethereum addresses. Clipsa replaces such addresses with the addresses of its operators, hoping to intercept any payments that the user is trying to make.
In some cases, the malware also deploys the XMRig miner on infected hosts to mine the Monero cryptocurrency.
According to Avast, from August 1, 2018, the company’s antivirus products blocked more than 253,000 attempts to infect Clipsa. Most incidents have been reported in countries such as India, Bangladesh, the Philippines, Brazil, Pakistan, Spain and Italy.
Experts analyzed 9412 bitcoin addresses that Clipsa operators have used in the past. As it turned out, the attackers had already “earned” almost three bitcoins, which were listed on 117 of these addresses. The income of malware operators is at least $35,000 a year, simply due to spoofing in the buffers of infected machines. Worse, this statistic does not take into account money stolen from users through hacking stolen wallet.dat files, as well as funds received through Monero mining.