Legacy Mauthtoken Malware Continues to Redirect Mobile Users

During malware analysis, we regularly find variations of this injected script on various compromised websites: .

The variable “_0x446d” assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable, we’ll end up with the following code:

var _0x446d=[“_mauthtoken”,”indexOf”,”cookie”,”userAgent”,”vendor”,”opera”,”hxxps://zeep.ly/ev4Va”,”googlebot”,”test”,”substr”,”getTime”,”_mauthtoken=1; path=/;expires=”,”toUTCString”,”location”];

In this array, you can find a “shortened” redirect URL: hxxps://zeep[.]ly/ev4Va.

Continue reading Legacy Mauthtoken Malware Continues to Redirect Mobile Users at Sucuri Blog.

Read more: Legacy Mauthtoken Malware Continues to Redirect Mobile Users