Regarding the multiple activities of malicious malware, the researchers stated:
“Clipsa is a multipurpose password stealer, written in Visual Basic, focusing on stealing cryptocurrencies, brute-forcing and stealing administrator credentials from unsecured WordPress websites, replacing crypto-addresses present in a clipboard, and mining cryptocurrencies on infected machines. Several versions of Clipsa also deploy an XMRig coinminer to make even more money from infected computers.”
The malware’s modus operandi involved a malicious codec pack installer for media players. The victim then downloads the malware when he downloads the player. From an infected PC, Clipsa can also attack unsecured WordPress sites.
After the codec is downloaded, the file then installs itself and executes its tasks in a succession of phases. The initiation phase does not contain specific parameters, but the next ones contain parameters that hint their functionalities.
The phases from 2 to 4 are programmed to steal ‘crypto-wallet related data’ from the computers. Then the wallet addresses found on the clipboard are replaced with those of the attackers from a predefined list.
This means that when the victim pastes his wallet address anywhere, he will actually paste the attackers’ address.
These two parameters involve searching for vulnerable WordPress websites on the internet and stealing through brute force their admin credentials.
The malware creators are also interested in analyzing the activities of the malware, as it has a file for logging purposes:
“Clipsa creates and uses an additional file: C:UsersuserAppDataRoamingAudioDGlog.dat This file is used for logging purposes, which the malware author can use to debug Clipsa and obtain statistics.”
Clipsa was found active in various regions throughout the world, mostly in India, Philippines, and Brazil. In over a year, more than thousands of victims were affected by the malware.
Featured image: Coinjournal
TheBitcoinNews.com is here for you 24/7 to keep you informed on everything crypto. Like what we do? Tip us some Satoshi with the exciting new Lightning Network Tippin.me tool!