A new password-stealer malware has appeared that targets cryptocurrencies and brute-forces and steals administrator credentials from unsecured WordPress websites.
Avast researchers nicknamed the malware Clipsa, due to its penchant for replacing crypto-addresses present in a clipboard, and noted it is written in Visual Basic and once installed on a device it begins mining cryptocurrency, and in some cases deploying XMRig to increase the attacker’s return on investment per incident.
Clipsa has two attack vectors. It is placed in malicious codec pack installers for media players and when a victim downloads the player that person also ends up with Clipsa on their device. Once this happens the malware starts to act as a search agent by using the infected machines to search for additional vulnerable Word Press sites. Once a target is spotted it attempts to brute-force its way into the system and if successful sends the validated login credentials to Clipsa’s command and control servers.
“While we cannot say for sure, we believe the bad actors behind Clipsa steal further data from the breached sites. We also suspect they use the infected sites as secondary C&C servers to host download links for miners, or to upload and store stolen data,” the researchers said.
So far the majority attacks appear to have taken place in India with Avast spotting more than 43,000 Clipsa infection incidents. Smaller numbers of attacks have taken place in the Philippines and Brazil, but worldwide Clipsa has been involved in more than 360,000 attacks.