Threat Management, Threat Management, Malware, Network Security

StatCounter platform compromised to infect gate.io exchange with bitcoin-stealing code

A malicious actor compromised the platform of leading web analytics firm StatCounter in a supply chain attack that targeted the cryptocurrency exchange gate.io with a bitcoin-stealing script.

Outside of gate.io, none of the other two million-plus websites using StatCounter's metrics services appear to have been affected by the malicious JavaScript, even if they downloaded it. That's because the script checks for a particular Uniform Resource Identifier, myaccount/withdraw/BTC, that's exclusively associated with a gate.io webpage, but no other cryptocurrency exchanges. In other words, the code appears to have been designed specifically to interact with gate.io users, according to blog post yesterday from Matthieu Faou, malware researcher at cybersecurity firm ESET.

In his report, Faou said that ESET notified both StatCounter and gate.io upon discovering the attack.

However, StatCounter founder Aodhan Cullen gave SC Media a differing account via email, saying it was actually a member who alerted his company to the incident. "We got a report from a member about this issue on Tuesday and fixed it within a few hours," said Cullen, describing the initial compromise as a cache poisoning attack.

In response, Faou held firm, stating that "We notified them on Monday, [Nov.] 5 at 6:55 p.m. EST time zone," adding that the disclosure was made via Stat Counter's support contact.

The ESET report explained that upon compromising the web analytics platform, the attackers injected their packed malicious code into the middle of a legitimate StatCounter script. "This is unusual, as attackers generally add malicious code at the beginning, or at the end, of a legitimate file," wrote Faou. "Code injected into the middle of an existing script is typically harder to detect via casual observation."

If the downloaded first-stage script finds the aforementioned gate.io URI, it then executes second-stage code, which is tied to a fake, lookalike StatCounter domain. This code is designed to steal bitcoins by replacing a user's transaction destination with a Bitcoin address belonging to the attackers.

"This redirection is probably unnoticeable to the victims, since the replacement is performed after they click on the submit button. Thus, it will happen very quickly and would probably not even be displayed," wrote Faou.

The malicious code either sticks with the amount chosen by the victim, or changes the amount to the unsuspecting user's daily withdrawal limit. And because the malicious script uses a new bitcoin address for each transaction, the researchers have been unable to ascertain how much the attackers may have successfully stolen during their campaign.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.