Clipsa

The Clipsa malware is a threat, which falls in the category of password collectors. The activity of the Clipsa malware seems to be concentrated in several regions – Brazil, India and the Philippines. The Clipsa malware project appears to be in its early stages, and it is likely that its authors may further weaponize this threat.

Propagation Method

The creators of the Clipsa malware have opted to disguise their threat as a fake media player or a fraudulent codec pack. The users are urged to install it if they want to be able to view the content on the website. Users online should be very wary of Web pages that require you to install additional software in order to view their contents as this is a commonly used trick to propagate various types of malware.

Self-Preservation

The Clipsa malware will store its corrupted files in system directories, and then gain persistence by configuring the Windows Registry to starts its files whenever Windows boots up automatically. This threat is able to plant a cryptocurrency miner on the compromised machine. However, the Clipsa malware uses a cunning technique to ensure that the crypto-currency miner will not be spotted by the user. This threat will scan the running, as well as the opened windows every ten seconds. The goal of the scan is to determine if the user has opened the Task Manager or initialized Process Hacker or Process Explorer because these applications will show the user the CPU usage. When a cryptocurrency miner is working, the CPU usage goes through the roof, and it is very likely that the victim may notice that something smells fishy. If such processes are detected, the Clipsa malware will cease its activity immediately.

Capabilities

The Clipsa malware is mainly used to collect login credentials from its victims. However, it has some other capabilities too. Systems infected by the Clipsa malware will execute a script that scans the Internet for WordPress websites that are vulnerable to brute force attacks periodically. If the scan returns valid login credentials for a particular WordPress page, Clipsa will transfer the URL, username, and password to the attacker's control server. The Clipsa malware also monitors the clipboard on the compromised host, and if it detects that the user has copied a cryptocurrency wallet's address, it will erase it and replace it with a wallet that belongs to the attackers. Malware researchers spotted that the Clipsa malware is sometimes delivered with a '.dat' file, which has several thousand Ethereum and Bitcoin wallets, which are all used by the authors of this threat. It appears that the shady operations of the creators of the Clipsa malware have been fruitful – the attackers have generated more than 55 ETH (~$12,000).

Despite this threat being fairly new, it is already showing signs that it may cause headaches to many people around the world. Make sure that you have a legitimate anti-malware application, which will keep your system safe from nasty threats like the Clipsa malware.