Email Security.cloud

It has been reported that a malware named “Clipsa” is spreading. The malware mainly spreads in the form of executable files masquerading as an installer for media players. The malware is capable of performing the following functions:

• Steals administrative credentials from unsecured WordPress sites.
• Mine and steal cryptocurrencies by replacing crypto addresses present in a clipboard via clipboard hijacking.
• Scans internet and launches brute-force attacks on Wordpress sites.
• This leads to the degradation of system performances due to excessive use of resources in cryptocurrency mining.
• May use the compromised websites as secondary command and control servers to host malicious files or upload stolen data.

Indicator of Compromise:

File system changes:

• C:\Users\user\AppData\Roaming\AudioDG\condlg.exe
• C:\Users\user\AppData\Roaming\AudioDG\zcondlg.exe
• C:\Users\user\AppData\Roaming\WinSys\coresys.exe
• C:\Users\user\AppData\Roaming\WinSys\xcoresys.exe
• C:\Users\user\AppData\Roaming\AudioDG\log.dat
• C:\Users\user\AppData\Roaming\AudioDG\obj\
• C:\Users\user\AppData\Roaming\AudioDG\udb\
• C:\Users\user\AppData\Local\Temp\xxxxxxxx.exe
• C:\Users\user\AppData\Roaming\Host\svchost.exe
• 65923_VTS.asx
• setup.bin

Command and control servers:

• poly.ufxtools[.]com
• industriatempo.com[.]br
• robertholeon[.]com
• deluxesingles[.]com
• naijafacemodel[.]com
• www.quanttum[.]trade
• www.blinov-house[.]ru
• ssgoldtravel[.]com
• www.greenbrands[.]ir
• new.datance[.]com
• besttipsfor[.]com
• chila[.]store
• globaleventscrc[.]com
• ionix.co[.]id
• mahmya[.]com
• mohanchandran[.]com
• mutolarahsap[.]com
• northkabbadi[.]com
• poly.ufxtools[.]com
• raiz[.]ec
• rhsgroup[.]ma
• robinhurtnamibia[.]com
• sloneczna10tka[.]pl
• stepinwatchcenter[.]se
• topfinsignals[.]com
• tripindiabycar[.]com
• videotroisquart[.]net
• wbbministries[.]org

File hashes:

• 2922662802EED0D2300C3646A7A9AE73209F71B37AB94B25E6DF57F6AED7F23E
• FD552E4BBAEA7A4D15DBE2D185843DBA05700F33EDFF3E05D1CCE4A5429575E5
• A65923D0B245F391AE27508C19AC1CFDE7B52A7074898DA375389E4E6C7D3AE1
• B56E30DFD5AED33E5113BD886194DD76919865E49F5B7069305034F6E0699EF5
• F26E5CA286C20312989E6BF35E26BEA3049C704471FF68404B0EC4DE7A8A6D42

Best Practices

• Monitor and block network traffic and systems making connections to the above-mentioned domain/IPs at the firewall, IDS, web gateways, routers or other perimeter-based devices.
• Delete the file system and registry changes made by the malware.
• Disable the Autorun functionality in Windows
  http://support.microsoft.com/kb/967715
• Keep up-to-date patches and fixes on the operating system and application software.
• Keep up-to-date Antivirus and Antispyware signatures at desktop and gateway level.
• Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through the browser.
• Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.
• Consider encrypting the confidential data as the ransomware generally targets common file types.
• Exercise caution while visiting links to Web pages.
• Do not visit untrusted websites.
• Use strong passwords and also enable password policies.
• Enable firewall at desktop and gateway level.
• Protect yourself against social engineering attacks.