TOP > News > Crypto Stealing Malware Clipsa Targeted Computers in the Philippines
August 7, 2019 Published

Cybersecurity firm Avast released details on how Clipsa, a crypto stealing malware worked its way across computers around the world, particularly in India and the Philippines.

August 7, 2019 – Cybersecurity firm Avast released details on how Clipsa, a crypto stealing malware worked its way across computers around the world, particularly in India and the Philippines.

Clipsa

Disguised as a codec installer for media players, Clipsa is written in Visual Basic and primarily a password stealer. It can steal admin credentials on WordPress sites and replace crypto addresses in the clipboard, not to mention mine cryptocurrency on infected computers.

Clipsa performs several actions, including searching for cryptowallet addresses in the clipboard and then replaced it with the wallet addresses by the bad actors who created it.

Avast also noted how it infects vulnerable WordPress websites:

Once it finds a vulnerable site, it attempts to brute-force its way into the site, sending the valid login credentials to Clipsa’s C&C servers. While we cannot say for sure, we believe the bad actors behind Clipsa steal further data from the breached sites.

Prevalence

According to Avast, Clipsa’s campaign is most prevalent in India where Avast blocked more than 43,000 infection attempts.

In the Philippines, Avas said it protected “more than 15,000 users” from Clipsa. In Brazil, it blocked 13,000 attempts.

Wallet

Avast found out that when Clipsa is installed, it comes with more than 9,000 addresses that can hold stolen funds. From its findings, the bad actors are successful in stealing over 3 bitcoin, which is Php 1.8 million in today’s exchange rates.

Last year, BitPinas reported the rise of cryptojacking and crypto mining malware globally, particularly in the Philippines. According to Kaspersky Lab, the Philippines is the 9th most attacked country globally and most of these attacks are related to cryptomining. Data sent by Kaspersky Lab revealed 10.6 million web malware infections in the Philippines for the 2nd quarter of 2018. This is twice the number from the 1st quarter (5.6 million) and a massive increase from the same quarter last year.

In another report, the League of Legends PH Client was infected by Coinhive, a javascript, which, when left alone will mine the cryptocurrency Monero (Coinhive has since shut down). According to Garena, which handles the League of Legends client, there was an unauthorized modification of the League of Legends PH client lobby where a certain javascript code was inserted. This code performs blockchain mining on affected computers, which consumes CPU resources from these computers. Garena engineers removed it promptly.

This article is first published on BitPinas: Crypto Stealing Malware Clipsa Targeted Computers in the Philippines

Photo by Markus Spiske on Unsplash

Read More:

Contact BitPinas:

For news tips, partnership discussions, or press release submissions, please send to support@bitpinas.com

Subscribe to our newsletter:

Leave a Reply