What is Clipsa Malware | How Clipsa Steals Cryptocurrency and Credentials of WordPress
By Prempal Singh
Clipsa is a malicious program that is categorized as a password stealer. Cybercriminals use it to steal credentials of poorly secured WordPress websites, cryptocurrencies and replace cryptocurrency addresses. XMRig cryptocurrency miners are designed to install in a few versions of Clipsa. Programs of this type use system resources to mine cryptocurrency.
Over 43,000 attacks of Clipsa malware which mines cryptocurrencies and steals password that slows down the system, was detected and blocked by Avast.
Clipsa spreads as a malicious executable file, likely disguised as codec pack installers for media players. Clipsa steals cryptocurrency by using information which is stored on a clipboard of the infected system. It simply replaces cryptocurrency wallet addresses that are saved in the clipboard with other addresses that are owned by people who spread the Clipsa password stealer. This way users end up inadvertently transferring cryptocurrency to cybercriminals. Additionally, it is known that this malware can steal wallet.dat files and install a cryptocurrency miner such as XMRig.
Additionally, Clipsa uses infected PCs to crawl the internet for vulnerable WordPress sites. Once it finds a vulnerable site, it attempts to brute-force its way into the site, sending the valid login credentials to Clipsa’s C&C servers. While the bad actors behind Clipsa steal further data from the breached sites. they use the infected sites as secondary C&C servers to host download links for miners or to upload and store stolen data.
The campaign is most prevalent in India, where Avast has blocked more than 43,000 Clipsa infection attempts, protecting more than 28,000 users in the country from the malware.
9,412 Bitcoin address which Clipsa had used in the past were analyzed and Malware operators made more money by the funds they have gained by cracking the stolen wallet.dat files as reported by Avast.
If a device is infected with this malware, PC performance slows than usual, due to the malicious activity of cryptocurrency mining being executed by the malware in the background. It’s recommended to use an antivirus to scan any files after it is downloaded.