A new password-stealer malware has appeared that targets cryptocurrencies and brute-forces and steals administrator credentials from unsecured WordPress websites.
Avast researchers nicknamed the malware Clipsa, due to its penchant for replacing crypto-addresses present in a clipboard, and noted it is written in Visual Basic and once installed on a device it begins mining cryptocurrency, and in some cases deploying XMRig to increase the attacker’s return on investment per incident.
Clipsa has two attack vectors. It is placed in malicious codec pack installers for media players and when a victim downloads the player that person also ends up with Clipsa on their device. Once this happens the malware starts to act as a search agent by using the infected machines to search for additional vulnerable Word Press sites. Once a target is spotted it attempts to brute-force its way into the system and if successful sends the validated login credentials to Clipsa’s command and control servers.
“While we cannot say for sure, we believe the bad actors behind Clipsa steal further data from the breached sites. We also suspect they use the infected sites ..
Support the originator by clicking the read the rest link below.
