During malware analysis, we regularly find variations of this injected script on various compromised websites: .
The variable “_0x446d” assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable, we’ll end up with the following code:
var _0x446d=[“_mauthtoken”,”indexOf”,”cookie”,”userAgent”,”vendor”,”opera”,”hxxps://zeep.ly/ev4Va”,”googlebot”,”test”,”substr”,”getTime”,”_mauthtoken=1; path=/;expires=”,”toUTCString”,”location”];
In this array, you can find a “shortened” redirect URL: hxxps://zeep[.]ly/ev4Va.
Continue reading Legacy Mauthtoken Malware Continues to Redirect Mobile Users at Sucuri Blog.
Source: Sucuri
