Topic: [Warning]Clipsa – Multipurpose password stealer (Read 138 times)
Whatever it is... It is easier to hack your laptop or phone than an actual physical robbery nowadays. Never leave your sensitive passwords in the browser. It is a bit annoying to type your passwords all the time but better safe than sorry.
What knocks me off balance a bit reading the referenced avast article is that their charts start in August 2018. I’ve seen a few alternative sources and some of them cite this specific malware instance as new, but the charts (and some of the text) state otherwise. The spread in time chart indicates that it is receding to a fairly low point, so perhaps Avast is recapping here (I’ve google it too, but nearly all significant entries are recent).
I just thought to share this to everyone, I saw this in our local boards here: [MALWARE] Crypto Stealing Malware Clipsa Targeted Computers in the Philippines by rosezionjohn
Report says that the malicious malware has stolen around 3 BTC not that big but the thing is that it can continue to infect a lot of pc's around the world and the number could grow in months.
What makes this scary is that this malware targeted crypto wallets. As per this blog post by Avast:
You can read all the details here:
https://decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/
Again, we need to be safe and be careful as we don't want to be the next victim here.
I also did saw removal guide here, but I'm not certain how effective it is.
Report says that the malicious malware has stolen around 3 BTC not that big but the thing is that it can continue to infect a lot of pc's around the world and the number could grow in months.
What makes this scary is that this malware targeted crypto wallets. As per this blog post by Avast:
Quote
High level overview
Clipsa is a multipurpose password stealer, written in Visual Basic, focusing on stealing cryptocurrencies, brute-forcing and stealing administrator credentials from unsecured WordPress websites, replacing crypto-addresses present in a clipboard, and mining cryptocurrencies on infected machines. Several versions of Clipsa also deploy an XMRig coinminer to make even more money from infected computers.
Clipsa spreads as a malicious executable file, likely disguised as codec pack installers for media players. Once on an infected device, Clipsa can perform multiple actions, such as searching for cryptowallet addresses present in victims’ clipboards to then replace the addresses victims want to send money to with wallet addresses owned by the bad actors behind Clipsa. Furthermore, Clipsa is capable of searching for and stealing wallet.dat files, and installing a cryptocurrency miner.
Additionally, Clipsa uses infected PCs to crawl the internet for vulnerable WordPress sites. Once it finds a vulnerable site, it attempts to brute-force its way into the site, sending the valid login credentials to Clipsa’s C&C servers. While we cannot say for sure, we believe the bad actors behind Clipsa steal further data from the breached sites. We also suspect they use the infected sites as secondary C&C servers to host download links for miners, or to upload and store stolen data.
Clipsa is a multipurpose password stealer, written in Visual Basic, focusing on stealing cryptocurrencies, brute-forcing and stealing administrator credentials from unsecured WordPress websites, replacing crypto-addresses present in a clipboard, and mining cryptocurrencies on infected machines. Several versions of Clipsa also deploy an XMRig coinminer to make even more money from infected computers.
Clipsa spreads as a malicious executable file, likely disguised as codec pack installers for media players. Once on an infected device, Clipsa can perform multiple actions, such as searching for cryptowallet addresses present in victims’ clipboards to then replace the addresses victims want to send money to with wallet addresses owned by the bad actors behind Clipsa. Furthermore, Clipsa is capable of searching for and stealing wallet.dat files, and installing a cryptocurrency miner.
Additionally, Clipsa uses infected PCs to crawl the internet for vulnerable WordPress sites. Once it finds a vulnerable site, it attempts to brute-force its way into the site, sending the valid login credentials to Clipsa’s C&C servers. While we cannot say for sure, we believe the bad actors behind Clipsa steal further data from the breached sites. We also suspect they use the infected sites as secondary C&C servers to host download links for miners, or to upload and store stolen data.
You can read all the details here:
https://decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/
Again, we need to be safe and be careful as we don't want to be the next victim here.
I also did saw removal guide here, but I'm not certain how effective it is.
Jump to: