During malware analysis, we regularly find variations of this injected script on various compromised websites: .
The variable “_0x446d” assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable, we’ll end up with the following code:
var _0x446d=["_mauthtoken","indexOf","cookie","userAgent","vendor","opera","hxxps://zeep.ly/ev4Va","googlebot","test","substr","getTime","_mauthtoken=1; path=/;expires=","toUTCString","location"];
In this array, you can find a “shortened” redirect URL: hxxps://zeep[.]ly/ev4Va. These redirect URLs may change from site to site, otherwise the code remains the same for this injection.
The distinguishing part of the malware is the _mauthtoken cookie that it sets and checks to prevent redirects for returning visitors. This features makes troubleshooting much harder, since visitors can’t reproduce redirects.
The malware only redirects visitors on mobile devices. To accomplish this, it tests the browser’s user-agent string against a pretty long list of known mobile user agents, including a large number that have not been actively used for some time.
This malware itself isn’t new, either. We’ve been detecting and cleaning this injection for more than three years now. However, even in 2020, there are still many sites infected with it.
At the time of writing, PublicWWW returns 1441 sites containing the string “var _0x446d=[“x5fx6dx61x75x74x68x74x6fx6bx65x6e” and 185 sites with a less obfuscated version containing the the document.cookie.indexOf(“_mauthtoken” string.
If you’ve received complaints from some of your site visitors about random unwanted redirects on mobile devices, make sure to scan your site for malware. Our online scanner SiteCheck detects both variations of this injection and can help you pinpoint the threat.
*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Krasimir Konov. Read the original post at: https://blog.sucuri.net/2020/11/legacy-mauthtoken-malware-continues-to-redirect-mobile-users.html