The Clipsa WordPress malware is a new global attack which is set against blogs that are powered by this content management system. At the moment there is no information about the perpetrators however we can conclude that they are very experienced. This WordPress virus will brute force the target sites and also deploy other malware such as a clipboard hijacker.
The Clipsa WordPress Malware Is Leveraged Against Blogs Worldwide
WordPress blog owners should be very cautious about their sites as security reports indicate that a new WordPress specific virus has been discovered. It is known as the Clipsa WordPress malware and it will run a complex sequence of malicious actions as soon as the infection is made. At the moment the majority of countries which are reported include the following: India, Bangladesh, the Philippines, Brazil, Pakistan, Spain, and Italy.
The main technique which is used to distribute it against the intended targets is via brute force attacks. The virus will attempt to guess the account credential of the site using this automated process — this can be done either by using dictionary-based wordlists or an algorithm.
As soon as the malware has breached the site it will look for a wallet.dat files — these are the common data bearing files which are used by cryptocurrency wallet software. If the hackers identify such a file it will be immediately hijacked and sent to the hackers. This will them to withdraw funds and replace the incoming addresses. Effectively this means that transactions that are forwarded to this address can be replaced and sent to the criminals instead.
The malware sequence will also search any uploaded TXT files for strings in the BIP-39 format which is used to store Bitcoin seed recovery phrases. In some cases they can serve as credentials for cryptocurrency wallets. If such are found the values will be stored in a separate file and uploaded to a special server. A distinct process is the uploading of a clipboard hijacker — a malicious tool which will monitor the contents of the clipboard as it is entered by both the owners and the users. An automatic trigger can be can be set if a text pattern related to cryptocurrency is entered.
In some of the cases the Clipsa WordPress malware can deploy various cryptocurrency miners across the blog’s hosted pages. They can take the form of small-sized scripts that will activate them as soon as the pages are opened. They are intended to download a sequence of malicious tasks that will place a heavy impact on the system’s performance.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: