Clipsa, The Multi-talented Crypto Asset Thieving Malware
Here in hackercombat.com, we have covered stories about bank trojans on a fairly regular basis. Blackhat hackers are after people’s money, profit is their main if not their only motivation for their campaigns. Of course, as the cybersecurity vendors rebuild their products and services to address a specific security concern, the threat actors resourcefulness are put into a challenge, which they usually respond to. This is the scenario is now clearly demonstrated with the discovery of a malware named Clipsa. Security researchers consider it as a hacking tool went rogue, as its purpose is to steal cryptocurrency from digital wallets and also hijacking vulnerable WordPress sites in order to harvest administrator accounts.
Compared to bank trojans which go out of their way to remain as hidden as long as possible, Clipsa is a total package for stealing value off a computer or website. It was designed with many purposes, too difficult to hide from an observant user, like cryptocurrency wallet theft, crypto mining the infected machine and taking over the operating system’s clipboard in order to switch the user’s crypto wallet address to the virus author’s crypto wallet address during cryptocurrency transactions.
Clipsa’s authors are also trying to use their malware to bruteforce weak WordPress websites, which is unique for malware to do. Botnets containing hundreds to thousands of zombie devices are the usual attack agents for brute-forcing target websites, for a single malware to do the same is an innovation on the part of Clipsa’s authors. How does Clipsa spread? Well, in a very unsophisticated way, in fact, it pretends to be a codec pack for Windows, which claims to be a necessary component for the operating system to playback obscure audio and video files which are not supported by default.
“We estimate that the attack vector is most likely malicious codec pack installers for media players (Ultra XVid Codec Pack.exe or Installer_x86-x64_89006.exe). Users who try to install these codecs for their media players inadvertently download malicious installers instead of clean ones. Once users begin the installation process, they deploy Clipsa on their machines and the malware immediately starts its malicious behavior,” explained Jan Rubin, Avast’s Malware Researcher.
His team has posted their findings in Avast’s official blog site, highlighting massive infection rates in India (43,000+ cases), the Philippines (28,000+ incidents) and Brazil (13,000+ instances). We recommend that you checked your Windows Task Manager, as Clipsa terminates all running instances of it once the computer is infected. It does it by tapping on a Windows Management Instrumentation (WMI) API to disable Windows Task Manager using an SQL-compliant command:
Select * from Win32_Process WHERE Name = ‘taskmgr.exe’
In the initial infection stage, Clipsa will then makes multiple copies of itself in order to persist from being stopped by a system restart. It will copy itself to the following paths:
All of these above paths are supported by a Registry entry:
C:\Users\user\AppData\Roaming\AudioDG\condlg.dll provides the capability to monitor the clipboard for cryptocurrency wallet information (for switching). For coinmining, it uses condlg.exe file, it then connects to poly.ufxtools.com website as its command and control server. Overall, it uses more than a dozen command and control servers to support all its functionalities: