Clipsa Malware

Original Issue Date:- September 20, 2019
Virus Type:-Multipurpose Password Stealer
Severity:- High

It has been reported that a malware named as “Clipsa” is spreading. The malware mainly spreads in the form of executable files masquerading as installer for media players.The malware is capable of performing the following functions:

  • Steals administrative credentials from unsecured wordpress sites.
  • Mine and steal crypto currencies by replacing crypto addresses present in a clipboard via clipboard hijacking.
  • Scans internet and launches brute-force attacks on Wordpress sites.
  • Leads to degradation of system performances due to excessive use of resources in crypto currency mining.
  • May use the compromised websites as secondary command and control servers to host malicious files or upload stolen data.

Indicator of Compromise:

File system changes:

  • C:\Users\user\AppData\Roaming\AudioDG\condlg.exe
  • C:\Users\user\AppData\Roaming\AudioDG\zcondlg.exe
  • C:\Users\user\AppData\Roaming\WinSys\coresys.exe
  • C:\Users\user\AppData\Roaming\WinSys\xcoresys.exe
  • C:\Users\user\AppData\Roaming\AudioDG\log.dat
  • C:\Users\user\AppData\Roaming\AudioDG\obj\
  • C:\Users\user\AppData\Roaming\AudioDG\udb\
  • C:\Users\user\AppData\Local\Temp\xxxxxxxx.exe
  • C:\Users\user\AppData\Roaming\Host\svchost.exe
  • 65923_VTS.asx
  • setup.bin

Command and control servers:

  • poly.ufxtools[.]com
  • robertholeon[.]com
  • deluxesingles[.]com
  • naijafacemodel[.]com
  • www.quanttum[.]trade
  • www.blinov-house[.]ru
  • ssgoldtravel[.]com
  • www.greenbrands[.]ir
  • new.datance[.]com
  • besttipsfor[.]com
  • chila[.]store
  • globaleventscrc[.]com
  • mahmya[.]com
  • mohanchandran[.]com
  • mutolarahsap[.]com
  • northkabbadi[.]com
  • poly.ufxtools[.]com
  • raiz[.]ec
  • rhsgroup[.]ma
  • robinhurtnamibia[.]com
  • sloneczna10tka[.]pl
  • stepinwatchcenter[.]se
  • topfinsignals[.]com
  • tripindiabycar[.]com
  • videotroisquart[.]net
  • wbbministries[.]org

File hashes:

  • 2922662802EED0D2300C3646A7A9AE73209F71B37AB94B25E6DF57F6AED7F23E
  • FD552E4BBAEA7A4D15DBE2D185843DBA05700F33EDFF3E05D1CCE4A5429575E5
  • A65923D0B245F391AE27508C19AC1CFDE7B52A7074898DA375389E4E6C7D3AE1
  • B56E30DFD5AED33E5113BD886194DD76919865E49F5B7069305034F6E0699EF5
  • F26E5CA286C20312989E6BF35E26BEA3049C704471FF68404B0EC4DE7A8A6D42

Note: For complete analysis and IOCs, click here

Best Practices

  • Monitor and block network traffic and systems making connections to the above mentioned domain/IPs at firewall, IDS, web gateways, routers or other perimeter based devices.
  • Delete the file system and registry changes made by the malware.
  • Disable the Autorun functionality in Windows
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures at desktop and gateway level.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.
  • Consider encrypting the confidential data as the ransomware generally targets common file types.
  • Exercise caution while visiting links to Web pages.
  • Do not visit untrusted websites.
  • Use strong passwords and also enable password policies.
  • Enable firewall at desktop and gateway level.
  • Protect yourself against social engineering attacks.