Malicious users violate the web analytics service, then target the Bitcoin platform


The latest ESET research shows to what extent attackers will be attacked to subtract bitcoins from customers of a specific virtual currency exchange

[Update on Wednesday, November 7] On November 6, StatCounter removed the malicious script. Several hours before, stopped using StatCounter analysis services to prevent further infections. Therefore, this incident has been resolved and both websites can be safely explored.

On 3 November, hackers successfully violated StatCounter, one of the leading web analytics platforms. This service is used by many webmasters to collect statistics about their visitors – a service very similar to Google Analytics. To do this, webmasters usually add an external JavaScript tag that incorporates a piece of code from StatCounter – www.statcounter[.]com / counter / counter.js – on every web page. Therefore, by compromising the StatCounter platform, attackers can insert JavaScript code into all Web sites that use StatCounter.

According to their website, StatCounter has more than 2 million member sites and calculates statistics on over 10 billion page views per month. This information is in line with his rank of Alexa just over 5000. To make a comparison, the official site of the Debian Linux distribution,, has a similar rank of Alexa.

1 wm

The attackers changed the script to www.statcounter[.]com / counter / counter.js of adding a malicious code, shown in "prettified" form below, in the middle of the script. This is unusual, as attackers generally add malicious code to the beginning or end of a legitimate file. The code injected in the middle of an existing script is generally more difficult to detect by random observation.

The script is packaged with the Dean Edwards packer, which is probably the most popular JavaScript packer. However, it can be trivially unzipped, resulting in actual script code to be executed, as shown below.

This piece of code will first check if the URL contains myaccount / withdraw / BTC. Thus, we can already assume that the goal of hackers is to address a Bitcoin platform. If control passes, the script continues to add a new one script element to the web page and incorporating the code in https: //www.statconuter[.]com / c.php.

Note that attackers have registered a domain very similar to the legitimate StatCounter oNEITHER, StatCounter[.]com. They have just changed two letters, which can be difficult to notice when scanning logs for unusual activities. Interestingly, by checking the passive DNS of the domain, we noticed that this domain had already been suspended in 2010 for abuse.

As explained above, the script points to a specific Uniform Resource Identifier (URI): myaccount / withdraw / BTC. It turns out that among the different exchanges of cryptocurrency in real time at the time of writing, only has a valid page with this URI. Thus, this exchange seems to be the main objective of this attack. This exchange is quite popular, with an Alexa rank of 26,251 and even 8,308 in China.

Moreover, according to, several million dollars, including $ 1.6 million in bitcoin transactions, transit every day on this platform. Therefore, it could be very profitable for attackers to steal large scale cryptocurrency on this platform.

The web page https: //www.gate[.]I / MyAccount / withdraw / BTC, shown below, is used to transfer bitcoins from a account to an external Bitcoin address.

Perhaps not surprisingly, it turns out that the payload of the second phase, from statconuter[.]com / c.php, It is designed to steal bitcoins. Therefore, it makes sense to inject the script into the bitcoin transfer web page. This script is also rich with the Dean Edwards packer. The unpacked version is shown below.

In the true page of, there is already a doSubmit function, called when the user clicks the submit button, but here the attackers redefine it.

The script automatically replaces the destination Bitcoin address with an address belonging to attackers, for example 1JrFLmGVk1ho1UcMPq1WYirHptcCYr2jad. The malicious server generates a new Bitcoin address every time a visitor loads the statconuter[.]script com / c.php. Therefore, it is difficult to see how many bit bits have been transferred to attackers.

Depending on whether the victim enters more than 10 BTCs, the script of the attackers will use it or use the victim's daily withdrawal limit. In our test account, the withdrawal limit is set to 100 BTC by default. Finally, the malicious script sends the form, which transfers the victim's account to the attacker's wallet.

This redirection is probably imperceptible to victims, since the replacement is performed after clicking on the submit button. So it will happen very quickly and probably will not even be displayed.

When a new Bitcoin address is generated each time the malicious script is sent to the victim, we have not been able to see how many bitcoins have been collected by the attackers. For example, if we check the address we received on our test machine, the balance is 0 BTC.

Although we do not know how many Bitcoin bits have been stolen during this attack, it shows to what extent the attackers are turning to a specific website, specifically a cryptocurrency exchange. To achieve this, they compromised the website of an analytics service, used by over two million other websites, including several government-related websites, to steal bitcoins from customers of a single cryptocurrency exchange website.

It also shows that even if your website is up-to-date and well protected, it is still vulnerable to the weaker link, which in this case was an external resource. This is another reminder that external JavaScript is under the control of a third party and can be changed at any time without notice.

We have notified both StatCounter and as soon as we have discovered this harmful activity.

For any inquiries or to submit sample proposals related to the subject, please contact us at [email protected].

Malicious URLs

  • StatCounter[.]com / counter / counter.js
  • statconuter[.]com / c.php

Matthieu Faou

[ad_2]Source link