A new malware strain named Clipsa has been making the rounds for the past year, infecting users from all over the world.
What stands out about this new threat is that besides classic malware features — such as the ability to steal cryptocurrency wallet files, install a cryptocurrency miner, and hijacking the user’s clipboard to replace cryptocurrency addresses — Clipsa also includes a somewhat strange feature that allows it to launch brute-force attacks against WordPress websites.
This behavior is strange, mainly because most brute-force attacks against WordPress sites are carried out by botnets of infected servers or IoT devices.
Seeing desktop malware launch brute-force attacks on WordPress sites isn’t novel, but it’s strange and extremely rare.
“While we cannot say for sure, we believe the bad actors behind Clipsa steal further data from the breached [WordPress] sites,” said Avast malware researcher Jan Rubín, in a technical deep dive into Clipsa’s features he published earlier this week.
“We also suspect they use the infected [WordPress] sites as secondary C&C servers to host download links for miners, or to upload and store stolen data,” he said.
Clipsa’s cryptocurrency obsession
But while launching brute-force attacks against WordPress sites is an interesting feature, Clipsa’s main focus is — without a doubt — on cryptocurrency and its users.
First, the malware will scan a victim’s computer for wallet.dat files. These are database files for cryptocurrency wallet apps. The data contained inside allows anyone to hijack funds from the wallet’s owner. Clipsa identifies such files, and then uploads them to a remote server.
Second, Clipsa also searchers for TXT files, which it opens and searchers for strings in the BIP-39 format. This text pattern is used primarily for storing Bitcoin mnemonic seed recovery phrases, aka word sequences that sometime serve as cryptocurrency wallet passwords. If it finds any such patterns, the malware saves these texts to another file and uploads it to its C&C server so they can be used for cracking the stolen wallet.dat files later on.
Third, the malware also installs a process that monitors the user’s OS clipboard (where copied/cut data is stored before being pasted). This process watches for events where the user copies or cuts a text pattern that looks like a Bitcoin or Ethereum address. Clipsa then moves in to replace that address with one of its operators, hoping to hijack any payments an infected user might be making.
Fourth, in some instances, Avast says that Clipsa will also deploy XMRig on infected hosts. XMRig is an open-source app that mines the Monero cryptocurrency. By deploying XMRig, Clipsa operators will make additional funds on computers with powerful hardware configurations.
Avast says that since last year (August 1, 2018) their antivirus product fleet has blocked attempted Clipsa infections for more than 253,000 users.
While the company’s stats provide a narrow view, since they come from a limited number of antivirus installations, the statistics show Clipsa’s reach, with infections coming from all over the world.
Per Avast, the most Clipsa detections were recorded in countries such as India, Bangladesh, the Philippines, Brazil, Pakistan, Spain, and Italy.
Avast says the primary source of Clipsa infections appears to be codec pack installers for media players that users download from the internet.
With malicious download links available online for months at a time, this also explains why Clipsa detections are being detected at a constant rate, rather than in big clusters — a sign the malware is being distributed via large email spam campaigns.
Furthermore, the group behind Clipsa appears to be making a profit as well, meaning we’ll be seeing more of this malware in the future.
Avast says it analyzed the balances of 9,412 Bitcoin addresses that Clipsa had used in the past. The Czecz antivirus maker says Clipsa operators have made almost 3 Bitcoin from funds it received inside 117 of these addresses. That’s about $35,000 per year, just by hijacking infected users’ clipboards.
However, the malware’s operators probably made even more money if we add the funds they might have gained access to by cracking the stolen wallet.dat files, and the funds made by mining Monero on users’ computers.