Threat Research

Avast protects 250K users from Clipsa malware targeting WordPress sites

Threat Intelligence Team, 7 August 2019

Multi-functional password stealer brute-forces and steals admin credentials from unsecured WordPress websites

Avast researchers announced this week that the company has protected more than 253,000 users from Clipsa, a password stealer that steals administrator credentials from unsecured WordPress websites.

Once on an infected device, Clipsa can perform multiple actions, such as stealing cryptocurrency transfers and installing a cryptocurrency miner. Clipsa also uses infected PCs to crawl the internet for vulnerable WordPress websites. Once it finds a vulnerable site, it attempts to brute-force its way into the site.

“Clipsa is an unusual password stealer, in that it supports a wide range of functionalities. Instead of just focusing on passwords and cryptowallets present on the victim’s computer, Clipsa also makes PCs do the cybercriminals’ dirty work, like searching for vulnerable WordPress websites on the internet and brute-forcing their credentials. The more machines that are infected, the more computational power Clipsa has,” said Jan Rubín, malware researcher at Avast.

The campaign is most prevalent in India, where Avast has blocked more than 43,000 Clipsa infection attempts, protecting more than 28,000 users in India from the malware. The Avast Threat Labs has also observed higher infection attempt rates in the Philippines, where Avast protected more than 15,000 users from Clipsa and in Brazil, protecting more than 13,000 users. In total, Avast protected more than 253,000 users more than 360,000 times, since August 1, 2018. 

If a device is infected with Clipsa, users may notice their PCs operating slower than usual, due to malicious coin miners mining cryptocurrencies in the background, as well as Clipsa crawling the internet for vulnerable WordPress sites. 

Avast Antivirus, including Avast Free Antivirus, detects and protects users from malware like Clipsa. To further protect themselves, users should only download installers and software from well-known and trusted websites. Users should also make sure installers are digitally signed, to verify their origin and legitimacy. WordPress website administrators should always use the latest version of WordPress, as well as recommended security settings, and use unique and complex passwords to protect their accounts.

Full analysis of Clipsa can be found on the Avast Decoded blog.