Avast specialists discovered Clipsa, a strange malware that not only steals cryptocurrency, replaces wallet addresses in the user buffer and installs miners on infected machines, but also launches brute-force attacks against WordPress sites on compromised hosts. The main source of infection is codec packs for media players that users download from the Internet on their own. According to researchers, Clipsa has been active for at least a year, and most of all experts were surprised by the functionality, directed against WordPress sites. The fact is that Windows malware rarely demonstrates such behavior, most often such attacks are carried out by botnets from infected servers or IoT devices.
Experts write that Clipsa is likely using infected WordPress sites as secondary control servers, which are then used to download and store stolen data, as well as to host links to download miners. But despite the attacks on WordPress- sites, mainly Clipsa still concentrates on cryptocurrency. So, after infection, the malware scans the victim’s computer in search of wallet.dat files related to crypto-currency wallets. If the files are found, the malware steals them and transfers them to a remote server. Clipsa also looks for TXT files containing BIP-39 strings. If any are found, the text is stored in another file and also transferred to the server of the criminals, to be subsequently used to crack the stolen wallet.dat files.
In addition, the malware establishes control over the clipboard of the infected OS and monitors when the user copies or cuts text that looks like Bitcoin or Ethereum addresses. Clipsa replaces such addresses with the addresses of its operators, hoping to intercept any payments that the user tries to make.
In some cases, the malware also deploys the XMRig miner on infected hosts to mine the Monero cryptocurrency.
According to Avast, since August 1, 2018, the company’s antivirus products have blocked more than 253,000 Clipsa infection attempts. Most of the incidents were recorded in countries such as India, Bangladesh, Philippines, Brazil, Pakistan, Spain and Italy.
Experts analyzed 9412 bitcoin addresses that Clipsa operators have used in the past. As it turned out, the attackers had already “earned” almost 3 bitcoins, which were transferred to 117 of these addresses. That is, the income of malware operators is at least $35,000 per year, simply due to the substitution of addresses in the buffers of infected machines. Worse, this statistic does not take into account money stolen from users through hacking stolen wallet.dat files, as well as funds obtained through Monero mining.
Source: xaker.ru