During malware analysis, we regularly find variations of this injected script on various compromised websites: .

The variable _0x446d assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable, we’ll end up with the following code:

var _0x446d=[“_mauthtoken”,”indexOf”,”cookie”,”userAgent”,”vendor”,”opera”,”hxxps://zeep.ly/ev4Va”,”googlebot”,”test”,”substr”,”getTime”,”_mauthtoken=1; path=/;expires=”,”toUTCString”,”location”];

In this array, you can find a “shortened” redirect URL: hxxps://zeep[.]ly/ev4Va.

Continue reading Legacy Mauthtoken Malware Continues to Redirect Mobile Users at Sucuri Blog.

Pin It on Pinterest