Bitcoin Forum
February 18, 2020, 06:48:33 AM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [Warning]Clipsa – Multipurpose password stealer  (Read 69 times)
Baofeng
Hero Member
*****
Offline Offline

Activity: 1050
Merit: 788


View Profile
August 16, 2019, 02:43:59 PM
Merited by DdmrDdmr (2), BitMaxz (1), rosezionjohn (1)
 #1

I just thought to share this to everyone, I saw this in our local boards here: [MALWARE] Crypto Stealing Malware Clipsa Targeted Computers in the Philippines by rosezionjohn

Report says that the malicious malware has stolen around 3 BTC not that big but the thing is that it can continue to infect a lot of pc's around the world and the number could grow in months.

What makes this scary is that this malware targeted crypto wallets. As per this blog post by Avast:

Quote
High level overview

Clipsa is a multipurpose password stealer, written in Visual Basic, focusing on stealing cryptocurrencies, brute-forcing and stealing administrator credentials from unsecured WordPress websites, replacing crypto-addresses present in a clipboard, and mining cryptocurrencies on infected machines. Several versions of Clipsa also deploy an XMRig coinminer to make even more money from infected computers.

Clipsa spreads as a malicious executable file, likely disguised as codec pack installers for media players. Once on an infected device, Clipsa can perform multiple actions, such as searching for cryptowallet addresses present in victims’ clipboards to then replace the addresses victims want to send money to with wallet addresses owned by the bad actors behind Clipsa. Furthermore, Clipsa is capable of searching for and stealing wallet.dat files, and installing a cryptocurrency miner.

Additionally, Clipsa uses infected PCs to crawl the internet for vulnerable WordPress sites. Once it finds a vulnerable site, it attempts to brute-force its way into the site, sending the valid login credentials to Clipsa’s C&C servers. While we cannot say for sure, we believe the bad actors behind Clipsa steal further data from the breached sites. We also suspect they use the infected sites as secondary C&C servers to host download links for miners, or to upload and store stolen data.

You can read all the details here:

https://decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/

Again, we need to be safe and be careful as we don't want to be the next victim here.

I also did saw removal guide here, but I'm not certain how effective it is.

..bustadice..         ▄▄████████████▄▄
     ▄▄████████▀▀▀▀████████▄▄
   ▄███████████    ███████████▄
  █████    ████▄▄▄▄████    █████
 ██████    ████████▀▀██    ██████
██████████████████   █████████████
█████████████████▌  ▐█████████████
███    ██████████   ███████    ███
███    ████████▀   ▐███████    ███
██████████████      ██████████████
██████████████      ██████████████
 ██████████████▄▄▄▄██████████████
  ▀████████████████████████████▀
                     ▄▄███████▄▄
                  ▄███████████████▄
   ███████████  ▄████▀▀       ▀▀████▄
               ████▀      ██     ▀████
 ███████████  ████        ██       ████
             ████         ██        ████
███████████  ████     ▄▄▄▄██        ████
             ████     ▀▀▀▀▀▀        ████
 ███████████  ████                 ████
               ████▄             ▄████
   ███████████  ▀████▄▄       ▄▄████▀
                  ▀███████████████▀
                     ▀▀███████▀▀
           ▄██▄
           ████
            ██
            ▀▀
 ▄██████████████████████▄
██████▀▀██████████▀▀██████
█████    ████████    █████
█████▄  ▄████████▄  ▄█████
██████████████████████████
██████████████████████████
    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
       ████████████
......Play......
You get merit points when someone likes your post enough to give you some. And for every 2 merit points you receive, you can send 1 merit point to someone else!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1582008513
Hero Member
*
Offline Offline

Posts: 1582008513

View Profile Personal Message (Offline)

Ignore
1582008513
Reply with quote  #2

1582008513
Report to moderator
1582008513
Hero Member
*
Offline Offline

Posts: 1582008513

View Profile Personal Message (Offline)

Ignore
1582008513
Reply with quote  #2

1582008513
Report to moderator
1582008513
Hero Member
*
Offline Offline

Posts: 1582008513

View Profile Personal Message (Offline)

Ignore
1582008513
Reply with quote  #2

1582008513
Report to moderator
DdmrDdmr
Hero Member
*****
Offline Offline

Activity: 770
Merit: 3336


There are lies, damned lies and statistics. MTwain


View Profile WWW
August 16, 2019, 03:17:12 PM
 #2

What knocks me off balance a bit reading the referenced avast article is that their charts start in August 2018. I’ve seen a few alternative sources and some of them cite this specific malware instance as new, but the charts (and some of the text) state otherwise. The spread in time chart indicates that it is receding to a fairly low point, so perhaps Avast is recapping here (I’ve google it too, but nearly all significant entries are recent).

scambust
Legendary
*
Offline Offline

Activity: 1610
Merit: 1007



View Profile
August 16, 2019, 07:34:02 PM
 #3

Whatever it is... It is easier to hack your laptop or phone than an actual physical robbery nowadays. Never leave your sensitive passwords in the browser. It is a bit annoying to type your passwords all the time but better safe than sorry.


▄▄▄███████▄▄▄
▄▄█████▀▀''`▀▀█████▄▄
▄███P'            `YY██▄
▄██P'                  `Y██▄
███'                      `███
███'                         ███
▄██'   ▄█████▄▄  ,▄▄▄▄▄▄▄▄▄▄p   ███
▄██▀  ,████▀P▀███.`██████████P   ▀██▄
███[ ,████ __. ███.   ,▄████▀    ███
███[ ]████████████[  ▄████▀       ███
███[ `████   ,oo2 ▄████▀'       ,███
▀██▄  `████▄▄█████d███████████   ▄██▀
▀██.   `▀▀▀▀▀▀"  Y▀▀▀▀▀▀▀▀▀▀▀  ,██▀
███.                        ,███
▀██▄                      ▄██▀
▀███▄_                 ,███▀
▀███▄▄_          _▄▄███▀
▀▀████▄▄ooo▄▄█████▀
▀▀███████▀▀'

365

TM

EZ365 is a digital ecosystem that combines
the best aspects of online gaming, cryptocurrency
trading
and blockchain education. ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

..WHITEPAPER..    ..INVESTOR PITCH..

.Telegram     Twitter   Facebook

                       .'M████▀▀██  ██
                      W█Ws'V██  ██▄▄███▀▀█
                     i█████m.~M████▀▀██  ███
                     d███████Ws'V██  ██████
                     ****M██████m.~███f~~__mW█
          ██▀▀▀████████=  Y██▀▀██W ,gm███████
      g█████▄▄▄██   █A~`_WW Y█  ██!,████████
   g▀▀▀███   ████▀▀`_m████i!████P W███  ██
 _███▄▄▄██▀▀▀███Af`_m███   █W ███A ]███  ██
__ ~~~▀▀▀▀▄▄▄█*f_m██████   ██i!██!i███████
Y█████▄▄▄▄__. i██▀▀▀██████████ █!,██████
 8█  █▀▀█████.!██   ██████████i! █████
 '█  █  █   █W M█▄▄▄██████   ██ !██
  !███▄▄█   ██i'██████████   ██
   Y███████████.]██████████████
   █   ███████b ███   ██████
   Y   █   █▀▀█i!██   ████
    V███   █  █W Y█████
      ~~▀███▄▄▄█['███
            ~~*██

Play

            │
    │      ███
    │      ███
    │      ███
    │   │  ███
   ███  │  ███
   ███ ███ ███
 │  ███ ███ ███
███ ███ ███ ███
███ ███  │   │
███ ███  │   │
 │   │
 │

Trade

           __▄▄████▄▄
     __▄▄███████████████▄▄▄
 _▄▄█████████▀▀~`,▄████████████▄▄▄
 ~▀▀████▀▀~`,_▄▄███████████████▀▀▀
   d█~  =▀███████████████▀▀
   ]█! m▄▄ '~▀▀▀████▀▀~~ ,_▄▄
  ,W█. *████▄▄__ '  __▄▄█████
  !██P  █████████████████████
   W█. - ██████████████████▀
  i██[   ~ ▀▀█████████▀▀▀
 g███!
Y███

Learn
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!