Mobile Click-Jacking Trojan: Trojan:JS/Redirector.CuttlycoAsia Analysis Report

The WordPress website has been compromised with obfuscated JavaScript malware that hijacks user click events and redirects mobile device users to malicious URLs. The malware exhibits sophisticated evasion techniques including mobile device detection, time-based delays, and localStorage persistence tracking.

Mobile-Targeted Click Hijacking Redirect Malware (Trojan:JS/Redirector variant)

This malware belongs to the category of JavaScript redirect trojans that specifically target mobile devices. It operates as a browser-based malware that doesn’t require file system access but persistently tracks users through localStorage manipulation.

Obfuscation Techniques Used:

• Hex-encoded URL strings to hide malicious cuttlyco.asia domains
• Variable name obfuscation using meaningless hex identifiers (_0x3023, _0x1922f2, etc.)
• String array containing hex-encoded method names and URLs
• Single-line code compression to hinder manual analysis
• Function name scrambling with hexadecimal identifiers

Decoded Malicious URLs:

• http://cuttlyco.asia/gqr0c90
• http://cuttlyco.asia/XEz1c01
• http://cuttlyco.asia/Qxm3c43
• http://cuttlyco.asia/XUu5c15
• http://cuttlyco.asia/yLk8c98
• http://cuttlyco.asia/yVV9c99
• http://cuttlyco.asia/VQl4c94
• http://cuttlyco.asia/pPr7c57
• http://cuttlyco.asia/RdS2c92
• http://cuttlyco.asia/gHb6c96

Core Functionality Analysis:

1. Mobile Device Detection Function:

window.mobileCheck = function() {
    // Uses comprehensive regex patterns to detect mobile browsers
    // Targets Android, iPhone, iPad, and other mobile platforms
    // Returns true for mobile devices, false for desktop
}

2. Click Event Hijacking:

document.addEventListener('click', maliciousClickHandler);
function maliciousClickHandler(event) {
    event.stopPropagation(); // Prevents normal click behavior
    // Executes redirect logic for mobile devices only
}

3. Time-Based Evasion:

• 3-minute delay before activation to avoid immediate detection
• 6-hour reset cycle for tracking data
• Uses Math.random() and timing calculations to vary behavior

4. localStorage Persistence:

// Tracks which URLs have been used
localStorage.setItem(url + '-local-storage', 1);
// Records visit timestamps
localStorage.setItem(hostname + '-mnts', currentTime);
localStorage.setItem(hostname + '-hurs', currentTime);

5. Selective Targeting:

• Primary target: Mobile device users (smartphones, tablets)
• Secondary filtering: Based on referrer sources and timing
• Evasion technique: Only redirects mobile users to avoid detection

This malware represents a sophisticated mobile-targeted attack that combines multiple evasion techniques to avoid detection while persistently tracking and redirecting users to potentially malicious content. The cleanup requires both technical expertise and comprehensive security measures to prevent reinfection.