Clipsa Malware
Original Issue Date:-
September 20, 2019
Virus Type:- Multipurpose Password Stealer
Severity:-
High
It has been reported that a malware named as “Clipsa” is spreading. The malware mainly spreads in the form of executable files masquerading as installer for media players.The malware is capable of performing the following functions:
- Steals administrative credentials from unsecured wordpress sites.
- Mine and steal crypto currencies by replacing crypto addresses present in a clipboard via clipboard hijacking.
- Scans internet and launches brute-force attacks on Wordpress sites.
- Leads to degradation of system performances due to excessive use of resources in crypto currency mining.
- May use the compromised websites as secondary command and control servers to host malicious files or upload stolen data.
Indicator of Compromise:
File system changes:
- C:\Users\user\AppData\Roaming\AudioDG\condlg.exe
- C:\Users\user\AppData\Roaming\AudioDG\zcondlg.exe
- C:\Users\user\AppData\Roaming\WinSys\coresys.exe
- C:\Users\user\AppData\Roaming\WinSys\xcoresys.exe
- C:\Users\user\AppData\Roaming\AudioDG\log.dat
- C:\Users\user\AppData\Roaming\AudioDG\obj\
- C:\Users\user\AppData\Roaming\AudioDG\udb\
- C:\Users\user\AppData\Local\Temp\xxxxxxxx.exe
- C:\Users\user\AppData\Roaming\Host\svchost.exe
- 65923_VTS.asx
- setup.bin
Command and control servers:
- poly.ufxtools[.]com
- industriatempo.com[.]br
- robertholeon[.]com
- deluxesingles[.]com
- naijafacemodel[.]com
- www.quanttum[.]trade
- www.blinov-house[.]ru
- ssgoldtravel[.]com
- www.greenbrands[.]ir
- new.datance[.]com
- besttipsfor[.]com
- chila[.]store
- globaleventscrc[.]com
- ionix.co[.]id
- mahmya[.]com
- mohanchandran[.]com
- mutolarahsap[.]com
- northkabbadi[.]com
- poly.ufxtools[.]com
- raiz[.]ec
- rhsgroup[.]ma
- robinhurtnamibia[.]com
- sloneczna10tka[.]pl
- stepinwatchcenter[.]se
- topfinsignals[.]com
- tripindiabycar[.]com
- videotroisquart[.]net
- wbbministries[.]org
File hashes:
- 2922662802EED0D2300C3646A7A9AE73209F71B37AB94B25E6DF57F6AED7F23E
- FD552E4BBAEA7A4D15DBE2D185843DBA05700F33EDFF3E05D1CCE4A5429575E5
- A65923D0B245F391AE27508C19AC1CFDE7B52A7074898DA375389E4E6C7D3AE1
- B56E30DFD5AED33E5113BD886194DD76919865E49F5B7069305034F6E0699EF5
- F26E5CA286C20312989E6BF35E26BEA3049C704471FF68404B0EC4DE7A8A6D42
Note: For complete analysis and IOCs, click here
Best Practices
- Monitor and block network traffic and systems making connections to the above mentioned domain/IPs at firewall, IDS, web gateways, routers or other perimeter based devices.
- Delete the file system and registry changes made by the malware.
- Disable the Autorun functionality in Windows
http://support.microsoft.com/kb/967715 - Keep up-to-date patches and fixes on the operating system and application software.
- Keep up-to-date Antivirus and Antispyware signatures at desktop and gateway level.
- Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
- Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser.
- Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.
- Consider encrypting the confidential data as the ransomware generally targets common file types.
- Exercise caution while visiting links to Web pages.
- Do not visit untrusted websites.
- Use strong passwords and also enable password policies.
- Enable firewall at desktop and gateway level.
- Protect yourself against social engineering attacks.
References: