Original Issue Date:-
September 20, 2019
Virus Type:-Multipurpose Password Stealer
It has been reported that a malware named as “Clipsa” is spreading. The malware mainly spreads in the form of executable files masquerading as installer for media players.The malware is capable of performing the following functions:
- Steals administrative credentials from unsecured wordpress sites.
- Mine and steal crypto currencies by replacing crypto addresses present in a clipboard via clipboard hijacking.
- Scans internet and launches brute-force attacks on Wordpress sites.
- Leads to degradation of system performances due to excessive use of resources in crypto currency mining.
- May use the compromised websites as secondary command and control servers to host malicious files or upload stolen data.
Indicator of Compromise:
File system changes:
Command and control servers:
Note: For complete analysis and IOCs, click here
- Monitor and block network traffic and systems making connections to the above mentioned domain/IPs at firewall, IDS, web gateways, routers or other perimeter based devices.
- Delete the file system and registry changes made by the malware.
- Disable the Autorun functionality in Windows
- Keep up-to-date patches and fixes on the operating system and application software.
- Keep up-to-date Antivirus and Antispyware signatures at desktop and gateway level.
- Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
- Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser.
- Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.
- Consider encrypting the confidential data as the ransomware generally targets common file types.
- Exercise caution while visiting links to Web pages.
- Do not visit untrusted websites.
- Use strong passwords and also enable password policies.
- Enable firewall at desktop and gateway level.
- Protect yourself against social engineering attacks.