Topic: [MALWARE] Crypto Stealing Malware Clipsa Targeted Computers in the Philippines (Read 285 times)

If you're lucky, you can find malicious executables using a program like Microsoft's Autoruns, Microsoft’s Process Explorer, or Silent Runners. If the malware program is stealthy, you'll have to remove the hiding component from memory first (if possible), then work on extricating the rest of the program. Often, I'll boot Microsoft Windows into Safe Mode or through another method, remove the suspected stealth component (sometimes by just renaming it), and run a good antivirus scanner a few times to clean up the remainders after the stealth part is removed. Here’s one good tutorial on how to use Process Explorer to discover and remove malware, and another here.

Any system is susceptible to session hijacks, lalo na yung mga old-school machines na hindi na naaupdate ang libraries at wala nang support for security. The only way to prevent hacks na lang is to never, ever use third-party computers when opening important accounts and of course, wag magvisit ng mga kahina-hinalang site. Be it automated or manual, kapag may nakitang exploit ang mga hackers sa machine na ginagamit mo, talagang gagamitin nila yun para makuha nila yung gusto nila, and in this case bitcoins nga.

well mas safe pa din pala gumamit ng Mobile?kung ganitong pati ang pag gamit ng 'Control' key ay nagiging ugat para magkaron ng malware attack?

siguro mag stay nalang ako sa oldschool na pag sesend at ang pag copy paste ay walang madaming command kundi ung natural lang

Ang solusyon lang sa ganito, wag ka gagamit ng mga PC sa computer shop kapag magta-transact ka o di kaya wag kang kokonek sa mga public wifi kapag a-access ka sa mga wallet mo. Copy paste malware, dati pa yung mga ganyan at madami dami na din yung mga nabiktima ng ganyan.

Wala ka naman dapat ikabahala kung maingat ka magsearch at magdownload. Kung safe naman yung mga website na bina-browse mo, wala ka dapat ipagalala, maliban nalang kung mahilig ka magdownload sa mga torrent sites na kadalasan doon galing mga malware.

Nakakatakot lang ito lalo na kapag public computer ang gamit mo for transactions.

Honestly, most of the time sa office desktop ako nagtratransact and natatakot ako kase baka yung mga files ng compant mahack dahil sa akin. Kaya dapat talaga doble ingat tayo, wag maging kampante kahit may anti virus kapa kase for sure if you clicked unfamiliar links, madadali ka talaga nito.

Nakakatakot lang ito lalo na kapag public computer ang gamit mo for transactions. Honestly, most of the time sa office desktop ako nagtratransact and natatakot ako kase baka yung mga files ng compant mahack dahil sa akin. Kaya dapat talaga doble ingat tayo, wag maging kampante kahit may anti virus kapa kase for sure if you clicked unfamiliar links, madadali ka talaga nito.

Usong-uso yang clipboard hijacking ngayon kaya kailangan laging doble ingat pag nag eexecute ng mga crypto transactions. Meron din mga advance features ang mga exchanges at pwede mo na e save ang withdrawal address mo para hindi kana mag copy paste pero ugaliin parin e check kung tama ang address.

Nakakatakot lang ito lalo na kapag public computer ang gamit mo for transactions. Honestly, most of the time sa office desktop ako nagtratransact and natatakot ako kase baka yung mga files ng compant mahack dahil sa akin. Kaya dapat talaga doble ingat tayo, wag maging kampante kahit may anti virus kapa kase for sure if you clicked unfamiliar links, madadali ka talaga nito.

May nabiktima nanaman ng isang malware na pinapalitan ang bitcoin address kagaya nung nasa OP. Ingat sa mga mahilig mag-copy paste dyan ng mga address lalo na yung mga windows ang os.

Hello.

I felt something weird like 3 hours ago when my friend sent me his bitcoin wallet to send him around $1k for his services, so what I did I came online quick copied his Bitcoin address quickly pasted it in the blockchain send form, writed 1000, then I hitted send from then I went offline I came back He was like nothing was recevied I checked his bitcoin address and nothing was there, I checked my online wallet and I found out that it was sent to a different Bitcoin address with the same first words!
"14wEFYsvqiTDXA6ru9rV6xiS1gkxHTioVy" the address I wanted to send to, I'm sure I copied & pasted it I am 100% sure now I see that the bitcoins are sent to different wallet which "14wEycrQ2eb1DAbh51z4oQ3AYCA12Qeitm" Now the bitcoins are lost, because the guy claims it's not his address.

Can anyone figure this out?

I just saw another victim of clipboard hijacker malware.

How it works
1. You select a Bitcoin address, and press CTRL-C.
2. The malware changes the address to an address owned by the hacker/scammer.
3. You press CTRL-V and lose any funds you send.
Even if you check part of the pasted Bitcoin address, chances are the first few characters are the same, and you still won't notice the address was changed.

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.
2. Check the entire address after copy/pasting, and not just the first few (or last few) characters. Check some in the middle too. That's a lot of work, so chances are you won't do that either.
3. I came up with something else: don't copy the entire Bitcoin address, copy only a part, and manually type the last few characters. Even if the malware exchanges the incomplete Bitcoin address by their own, your wallet won't accept the (invalid) address if you've typed a few more characters by yourself.
You'll still need to follow Step 2 after this: check the address!
4. Use copy/paste to verify part of your address. Suppose you want to send funds to address 1PjpEgknyKxQKXtMcYFDym8odkfohFGkui. After copy/pasting, select "yKxQKXtMc" from the pasted address, then press CTRL-C. Then, use CTRL-F followed by CTRL-V to see if the partial address matches the original source of the address. And make sure the source is authentic: email can be spoofed too!
5. I'll add o_e_l_e_o's suggestion here:

Stay vigilant
Check, double check and tripple check before sending funds!

Disguised as a codec installer for media players, Clipsa is written in Visual Basic and primarily a password stealer. It can steal admin credentials on WordPress sites and replace crypto addresses in the clipboard, not to mention mine cryptocurrency on infected computers.

Clipsa performs several actions, including searching for cryptowallet addresses in the clipboard and then replaced it with the wallet addresses by the bad actors who created it.......

According to Avast, Clipsa’s campaign is most prevalent in India where Avast blocked more than 43,000 infection attempts.

In the Philippines, Avas said it protected “more than 15,000 users” from Clipsa. In Brazil, it blocked 13,000 attempts.........

Avast found out that when Clipsa is installed, it comes with more than 9,000 addresses that can hold stolen funds. From its findings, the bad actors are successful in stealing over 3 bitcoin, which is Php 1.8 million in today’s exchange rates.