In the Internet appeared malware with a hidden password, which is aimed at stealing crypto. It also steals administrator credentials from unprotected WordPress websites.
Avast researchers dubbed the malware Clipsa, because of its tendency to replace the crypto addresses present in the clipboard, and noted that it is written in Visual Basic and after being installed on the device it begins mining cryptocurrency, and in some cases deploys XMRig to increase the attacker ‘s return on investment for the incident.
Clip has two attack vectors. It is placed in malicious codec package installers for media players, and when a victim downloads a media player, that person also contacts Clipsa on their device. Once this happens, malware immediately begins to act as a search agent, using infected computers to search for additional vulnerable Word Press sites. After the target is found, she tries to force her to log in and, if successful, sends the verified credentials to the command and management servers of Clipsa.
‘We can ‘t say with confidence but we believe the bad actors behind Clippa are stealing data from the sites. We also suspect that they use infected sites as secondary C & C servers to place boot links for miners, or to download and store stolen data, “- said experts.
Until then, most of the attacks took place in India with Avast managed to detect more than 43,000 crimes of Clipsa infection. Fewer attacks occurred in the Philippines and Brazil, but worldwide, Clippes is involved in more than 360,000 attacks.