Category Archives: cryptocurrency

New strain of Clipsa malware launches brute-force attacks on WordPress sites

Avast spotted a new strain of Clipsa malware that is used to mine and steal cryptocurrencies along with carrying out brute-force attacks on WordPress sites.

Clipsa is a malware that is well known to cyber security community is able to steal cryptocurrency via clipoard hijacking and mine cryptocurrency after installing a miner. 

Avast recently discovered a new strain of Clipsa malware that is able to scan the Internet and launches brute-force attacks on WordPress sites.

Avast researchers announced this week that the company has protected more than 253,000 users from Clipsa, a password stealer that steals administrator credentials from unsecured WordPress websites.” reads the blog post published by Avast.

“Once on an infected device, Clipsa can perform multiple actions, such as stealing cryptocurrency transfers and installing a cryptocurrency miner. Clipsa also uses infected PCs to crawl the internet for vulnerable WordPress websites. Once it finds a vulnerable site, it attempts to brute-force its way into the site.”

Anyway, the presence of the Clipsa malware is not difficult to notice because the malicious code may cause significant degradation of the PC’s performance due to the mining activity, as well as the crawling of the web for vulnerable WordPress sites. 

The experts observed Clipsa spreading as a malicious executable file, for example, disguised as codec pack installers for media players.

The ability to launch brute-force attacks in unusual for a password stealer as explained by Jan Rubín, a malware researcher at Avast.

Clipsa is an unusual password stealer, in that it supports a wide range of functionalities. Instead of just focusing on passwords and cryptowallets present on the victim’s computer, Clipsa also makes PCs do the cybercriminals’ dirty work, like searching for vulnerable WordPress websites on the internet and brute-forcing their credentials.” states Rubin. “The more machines that are infected, the more computational power Clipsa has,”

The campaign appears to be more active in India, where Avast has blocked the largest number of Clipsa attacks (over 43,000) against more than 28,000 users.

Clipsa malware

The higher number of infection was observed in the Philippines and in Brazil. Avast declared that it has protected more than 253,000 users since August 1, 2018. 

Experts pointed out that it is rage to detect desktop malware launching brute-force attacks on WordPress sites, they believe the bad actors behind this campaign can steal further data from the hacked websites.

Avast researchers also believe that threat actors could use the compromised WordPress sites as secondary C&C servers to host download links for miners or to upload and store stolen data.

Clipsa was mainly developed to mine cryptocurrency and steal funds from the victims. It scans the victim’s PC wallet.dat files uploads them to a remote server, then use the content of the file to steal funds.

Clipsa also scans the PC for TXT files containing strings in the BIP-39 format used for storing Bitcoin mnemonic seed recovery phrases.

Clipsa also focuses on text files that contain words with specific patterns. These patterns form bip-39 mnemonic seed recovery phrases (or “mnemonic word sequences”) which are used as a seed for a pseudo-random generator.” reads the analysis. “If a user knows the seed, they can deterministically generate the same wallet keys that were generated when the user first created their wallet. Thus, Clipsa in this phase actually focuses on stealing mnemonic word sequences to crack cryptocurrency wallets.”

As anticipated, Clipsa also monitor the clipboard to detect Bitcoin or Ethereum addresses and replace them with ones under the control of the attacker in the attempt of hijacking transactions.

Is this Clipsa campaign profitable?

Experts at Avast analyzed the balances of 9,412 Bitcoin addresses associated with Clipsa malware. The researchers discovered that operators earned a total of 3 Bitcoin stored in 117 of these addresses. This means that the profit for clipboard hijacking was about $35,000 per year.

Experts speculate that the crooks’ profits could be much greater if we consider funds gained by cracking the stolen wallet.dat files and the mining activity.

Avast published technical details about this campaign, including Indicators of Compromise (IoCs), here.

Pierluigi Paganini

(SecurityAffairs – Clipsa malware, hacking)

The post New strain of Clipsa malware launches brute-force attacks on WordPress sites appeared first on Security Affairs.

Cryptocurrency exchange Binance offers $290,000 bounty to unmask blackmailer

One of the world’s largest cryptocurrency exchanges has revealed that it is being blackmailed to the tune of 300 Bitcoin (approximately US $3.5 million) by someone who is threatening to release some 10,000 sensitive photographs of its customers.

Read more in my article on the Tripwire State of Security blog.

Cryptocurrency exchange Binance offers $290,000 bounty to unmask blackmailer

Binance, one of the world’s largest cryptocurrency exchanges, has revealed that it is being blackmailed to the tune of 300 Bitcoin (approximately US $3.5 million) by someone who is threatening to release some 10,000 sensitive photographs of its customers. And in an attempt to identify its blackmailer, Binance has put a 25 Bitcoin (approximately US […]… Read More

The post Cryptocurrency exchange Binance offers $290,000 bounty to unmask blackmailer appeared first on The State of Security.

Facebook’s Libra Coins In The Face Of Increasing Opposition

Bitcoin has been in existence for more than a decade now, and its rise to popularity (or unpopularity, depending on who you talk to) didn’t happen overnight. The idea of having a storage of value that is not actual currency (not backed by the government and commercial banks) was as absurd as treating common pebbles as valuable as gold. But right now, with the cryptocurrency growing and contracting at an unpredictable rate, here comes Facebook who announced that it will join the cryptocurrency market with their own Libra coins.

The already powerful and influential Facebook.com having a say on monetary movement sent jitters across the globe, to a point that the United States Congress is trying to delay its release, if not abruptly trying to stop it. Cryptocurrency is a manifestation of people’s common trust to virtual currency, with no powerful party dictating its movement. The technology behind it, Blockchain is a model of simplicity married to security and privacy of the user – something that is contrary to what Facebook stands for. Facebook since its inception is known as an advertising company, ready to sell to anyone user’s data privacy for a price.

Facebook’s services are free, because people who signed-up are the products, that is an open secret by the social media giant for more than a decade now. This time around, the concerns of the U.S. Congress have grown with Canada, Australia, United Kingdom, and other countries in Europe joining the call for Facebook to be careful with their plan. The three countries demand more information about the establishment of Libra coins, as the social media giant has been secretive of its roadmap regarding the project. Facebook recently paid a hefty fine regarding its controversial Facebook-Analytica fiasco, where information that people shared in private were accessed by a 3rd party. The social media giant has no good track record of keeping their users’ information private, let alone appointing itself as a huge player in the cryptocurrency market.

A joined privacy concern public statement has been released bearing the signatures of Albania’s Besnik Dervishi (Information and Data Protection Commissioner), EU’s Giovanni Buttarelli (European Data Protection Supervisor), United Kingdom’s Elizabeth Denham (Information Commissioner), Canada’s Daniel Therrien (Privacy Commissioner) and Rohit Chompra (Federal Trade Commissioner), Australia’s Angelene Falk (Information/Privacy Commissioner), and Burkina Fasos’ Marguerite Ouedraogo Bonane (Commission for Information Technology and Civil Liberties).

This is an important step in a global regulatory movement that is holding online companies to account for how they handle personal information. Given the many initiatives taking place in our finance and technology sector, privacy must be a key component of any significant digital initiative such as Libra,” explained Aussie Privacy Commissioner Bonane.

The following is a summary of their strong request for Facebook to clarify:

  1. How Facebook will handle personal user information in connection to users engaging with Libra coins?
  2. Is Facebook providing a 3rd party access to shared personal data of users as part of Libra coin operations?
  3. What are the privacy controls that Facebook will provide with Libra coins?
  4. Provide hints on how Libra Network build privacy as part of the core designs for Libra coins.
  5. How much data access that the Libra association will provide/allow 3rd parties when users deal with Libra coins?
  6. What is Facebook’s plan regarding data protection impact assessment on Libra coins?
  7. How will Libra coins operate in various jurisdictions and territories?

Strong privacy safeguards are the foundation for innovation in the digital world. As data protection and privacy enforcement authorities we will work together to assert this at a global level, and we encourage all organisations to engage with data protection and privacy authorities when developing services with significant implications for privacy,” concluded the group.

Also Read,

Will Facebook’s Libra Coins Exist Soon? Ask Congress

Cryptocurrency Mining Service Coinhive Set to Shut Down

7 Tips for Securing Your Cryptocurrency Wallet

The post Facebook’s Libra Coins In The Face Of Increasing Opposition appeared first on .

Pale Moon Archive Server Infected With Malware

Hackers broke the file server of the Pale Moon browser project and attacked the previous version of the browser with malicious software.

The lead developer of Pale Moon, Mr. C. Straver, said the hack was undetectable for more than 18 months.

The Pale Moon file server is used to host an earlier version of the Pale Moon browser, just in case if the user wants to downgrade from the current stable version.

“A malicious party gained access to the at the time Windows-based archive server (archive.palemoon.org) which we’ve been renting from Frantech/BuyVM and ran a script to selectively infect all archived Pale Moon .exe files stored on it (installers and portable self-extracting archives) with a variant of Win32/ClipBanker.DY (ESET designation),” Straver said today.

The Developer of Pale Moon said that he had heard about the breach on July 9 and immediately deleted the compromised archive server.

The breach happened in 2017

Attackers used scripts to inject the EXE files stored on the server with the Win32/ClipBanker.DY Trojan variant, so that users who later download the Pale Moon browser installer and extract the files themselves, to be infected by malware.

As said above the Pale Moon team discovered a security breach on July 9 and immediately shut down all connections to the affected server to prevent the malware from spreading to other users.

The exact date of the infection results from the timestamp of the infected file:

“According to the date/time stamps of the infected files, [the hack] happened on 27 December 2017 at around 15:30,” Straver said, following a subsequent investigation.

“It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach.”

In the month of May this year, the Pale Moon project missed the opportunity to spot an intrusion when the original archive server encountered data corruption and blocking issues.

The Pale Moon developer said that all Pale Moon was 27.6.2 and had already been infected. Interestingly, previous versions archived in the Basilisk web browser were not infected even though they were hosted on the same server.

“Unfortunately, after the incident that rendered the server inoperable, the files transferred to the new system were taken from a backup made earlier that was already in an infected state due to the passage of time that this breach has gone undetected, so the infected binaries were carried over to the new (CentOS) solution,” Straver said.

Pursuing users of cryptocurrency

It is recommended that users download files from the archive servers that scan their systems or remove and reinstall their desktops for added security.

Win32 / ClipBanker.DY – security researcher calls a trojan pirate clipboard. Once the victim is infected, it is at the bottom of the operating system and monitors the operating system clipboard. This particular variant looks for pieces of text that look like Bitcoin addresses and replaces them with addresses configured in the hope of hijacking transactions in the hacker’s wallet.

The post Pale Moon Archive Server Infected With Malware appeared first on .

Cyber News Rundown: Second Florida Ransomware Attack

Reading Time: ~ 2 min.

Second Florida City Pays Ransom

Following the news that Riviera Beach, FL would pay the ransom demanded by cyberattackers, the mayor of Lake City, FL has announced that the city will be paying the demanded ransom of $460,000 to restore access to their email and internal system servers. While law enforcement agencies strongly recommend against paying the ransom and suggest that victims instead attempt to recover encrypted files through backups or other offline methods, many companies who fall prey to ransomware attacks do not keep complete backups of their systems, so they may have no choice but to pay.

Group Arrested in Domain Spoofing Scam

Several individuals were recently arrested for creating a spoof domain for Blockchain.com, a site that allows users to access their cryptocurrency wallets. The individuals in question successfully stole over $27 million’ worth of various currencies from roughly 4,000 victims by using their spoofed site to steal wallet credentials. The group was captured in two separate countries after more than a year of investigation.

Database for Insurance Marketing Site Exposed

A database belonging to MedicareSupplement.com, an insurance marketing site, was found to be publicly accessible, exposing the records of over 5 million customers. While it is unclear how long the database had been improperly secured, the researcher who discovered it in mid-May promptly reported it to the database owner. Amongst data exposed were nearly a quarter million records that indicated specific insurance categories.

Report Reveals Countries Most Targeted by Ransomware

A new report has run the numbers to uncover the top five countries most targeted by ransomware. So far in 2019, the list includes the USA, Brazil, India, Vietnam, and Turkey. During the first quarter of this year alone, the USA took 11% of the attacks, with Brazil coming in right behind with 10% of the total number of attacks. Even more concerning: the average ransom demand has nearly doubled since this time last year, jumping from around $6,700 to ca. $12,700.

IoT Malware Bricks Devices

Researchers have just found a new type of malware, dubbed Silex, that focuses on IoT devices running with default credentials. The malware then bricks—i.e., breaks in an irreparable or unrecoverable fashion—the entire device. The Silex authors claim to have distributed it with the specific intention of rendering devices unusable to prevent lower level scripters from adding the devices to their botnets. Fortunately, the authors did shut down the malware’s command servers, though the already-distributed samples will continue their operations until they have been removed by security.

The post Cyber News Rundown: Second Florida Ransomware Attack appeared first on Webroot Blog.

[Results] CLB Super Holder Event

Greetings Cloudbric community!

Thank you for your interest in our CLB Super Holder event which has now come to an end.

On exactly June 17, at 4pm KST, the price of CLB sat at 10.4 KRW (approx. $00.0088 USD).

As mentioned, all eligible CLB holders will receive a guaranteed minimum of 5% cumulative bonus distributions (CLB and CLBK tokens) of their total CLB stake as long as they hold the minimum CLB token amount.

Please check the airdrop list and look to see if your email was accepted in alignment with the guidelines.

Airdrop list

Please note that users that had already transferred CLB tokens prior to June 11th, 2019 at 2pm KST will receive an additional 200 CLB bonus airdrop to help mitigate any issues or confusion regarding wallet addresses and transfers.

The winners of the CLB Super Holder event will be issued their CLB tokens by June 24 and will receive their CLBK tokens after Klaytn’s main net launch. More details soon to come.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post [Results] CLB Super Holder Event appeared first on Cloudbric.