During malware analysis, we regularly find variations of this injected script on various compromised websites: .
The variable “_0x446d” assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable, we’ll end up with the following code:
var _0x446d=["_mauthtoken","indexOf","cookie","userAgent","vendor","opera","hxxps://zeep.ly/ev4Va","googlebot","test","substr","getTime","_mauthtoken=1; path=/;expires=","toUTCString","location"];
In this array, you can find a “shortened” redirect URL: hxxps://zeep[.]ly/ev4Va.
Continue reading Legacy Mauthtoken Malware Continues to Redirect Mobile Users at Sucuri Blog.
The post Legacy Mauthtoken Malware Continues to Redirect Mobile Users appeared first on Security Boulevard.
Article Link: https://securityboulevard.com/2020/11/legacy-mauthtoken-malware-continues-to-redirect-mobile-users/