Clipsa

Clipsa is spyware that collects account information, mines cryptocurrencies, hijacks wallet links, and breaks into the admin accounts of WordPress websites. Users should monitor copy-pasted wallet addresses for potential tampering and disconnect from the Internet after observing any applicable symptoms. Windows anti-malware products from most vendors should delete Clipsa safely.

The Dangers of Stepping Away from Government-Issued Currencies

Although many fans of Bitcoin and other cryptocurrencies praise it for its wholesale abandonment of government oversight, trafficking in these coins comes with risks that are specific to them. Clipsa is an especially relevant form of spyware, but mostly, for those who use Bitcoin, Monero or Ethereum. This convoluted Trojan uses features that it segregates through different launching parameters for hijacking addresses and accounts related to such currencies.

Clipsa is circulating as a fake codex download, with installation pop-ups supporting this tactic built into its executable. When it runs, initially, without any arguments, it presents a percentile loading bar and, eventually, an error message – making it look as if a codec attempted and failed its installation. The reality is that Clipsa is completing its setup process, including establishing Registry-based persistence.

From that point, Clipsa re-launches itself with different parameters for conducting its attacks. Malware experts are highlighting some of the most immediately relevant of these below:

• Clipsa monitors any copy-pasting of cryptocurrency wallet addresses and replaces them with similar-looking links from an internal list. This function redirects payments towards the threat actor's wallets if the user doesn't notice it in time.
• Clipsa, like Golang or Bird Miner, among others, runs a version of XMRig for mining Monero coins from the PC's CPU. It also supports a second Trojan miner in the file 65923_VTS.asx, which targets the same cryptocurrency.
• Clipsa searches for and collects information associated with local cryptocurrency wallets such as the user's 'wallet.dat' files.
• An odd addition in Clipsa's payload includes support for a non-financial activity: compromising WordPress websites. It uses infected PCs as hosts for brute-forcing logins for vulnerable WordPress sites and gaining admin access. Malware experts find no further details in the Trojan that provide clues as to the purpose of this third party-targeting attack.

Saving Your Coins from an Undeserved Hijacking

WordPress site administrators can use non-brute-forcible passwords and login names for keeping their domains at low to no risk of compromise by Clipsa. This aspect of Clipsa doesn't target the local PC's users or resources but can use system resources while searching for targets and running the attacks. Its victim list for brute-forcing is employing search engine keywords that suggest opportunistic and relatively indiscriminate hacking attempts.

Clipsa comes with multiple features for obfuscating itself and hiding its activities from users. Out of these stealth features, malware experts are pointing out its self-pausing ability. This feature will stop Clipsa's activities, whenever a process-monitoring tool is open, such as Task Manager. Consequently, users shouldn't depend on traditional, system-monitoring software for detecting anything amiss with their PCs.

Windows-compatible anti-malware products should detect and remove Clipsa appropriately while scanning your PC, along with its components, such as the XMRig miner.

Users in India, the Philippines, and Brazil should be wary about downloading codec packs from unknown sources especially. It's statistically not unlikely that the 'update' is, in reality, the latest version of Clipsa coming for your coins.