Crypto Stealing Malware Clipsa Targeted Computers in the Philippines

Please share and grow the BitPinas community.

August 7, 2019 – Cybersecurity firm Avast released details on how Clipsa, a crypto stealing malware worked its way across computers around the world, particularly in India and the Philippines.

Clipsa

Disguised as a codec installer for media players, Clipsa is written in Visual Basic and primarily a password stealer. It can steal admin credentials on WordPress sites and replace crypto addresses in the clipboard, not to mention mine cryptocurrency on infected computers.

Clipsa performs several actions, including searching for cryptowallet addresses in the clipboard and then replaced it with the wallet addresses by the bad actors who created it.

Avast also noted how it infects vulnerable WordPress websites:

Once it finds a vulnerable site, it attempts to brute-force its way into the site, sending the valid login credentials to Clipsa’s C&C servers. While we cannot say for sure, we believe the bad actors behind Clipsa steal further data from the breached sites.

Prevalence

According to Avast, Clipsa’s campaign is most prevalent in India where Avast blocked more than 43,000 infection attempts.

In the Philippines, Avas said it protected “more than 15,000 users” from Clipsa. In Brazil, it blocked 13,000 attempts.

Wallet

Avast found out that when Clipsa is installed, it comes with more than 9,000 addresses that can hold stolen funds. From its findings, the bad actors are successful in stealing over 3 bitcoin, which is Php 1.8 million in today’s exchange rates.

Last year, BitPinas reported the rise of cryptojacking and crypto mining malware globally, particularly in the Philippines. According to Kaspersky Lab, the Philippines is the 9th most attacked country globally and most of these attacks are related to cryptomining. Data sent by Kaspersky Lab revealed 10.6 million web malware infections in the Philippines for the 2nd quarter of 2018. This is twice the number from the 1st quarter (5.6 million) and a massive increase from the same quarter last year.

In another report, the League of Legends PH Client was infected by Coinhive, a javascript, which, when left alone will mine the cryptocurrency Monero (Coinhive has since shut down). According to Garena, which handles the League of Legends client, there was an unauthorized modification of the League of Legends PH client lobby where a certain javascript code was inserted. This code performs blockchain mining on affected computers, which consumes CPU resources from these computers. Garena engineers removed it promptly.

This article is first published on BitPinas: Crypto Stealing Malware Clipsa Targeted Computers in the Philippines

Photo by Markus Spiske on Unsplash

Please share and grow the BitPinas community.

Join and subscribe to stay up to date
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Michael Mislos

A business ad graduate from the Pamantasan ng Lungsod ng Maynila, Mike is the website manager of Bitpinas.com. He is responsible for almost every content you see on the site, from topic/news selection to editing of articles. Mike believes correct information about blockchain and cryptocurrency can empower people to make accurate decisions about the industry, which, in turn, should deter bad actors from taking advantage of crypto & blockchain. [Telegram @mikemislos]

Michael Mislos
shares