Like Troj/JSRedir-AK, Troj/JSRedir-AR has two distinct forms:
- injected into HTML files as a malicious <SCRIPT> tag
The Gumblar team appears to have replaced the Troj/JSRedir-AK infections with Troj/JSRedir-AR. Over the weekend Troj/JSRedir-AR was ~20% of infections to Troj/JSRedir-AK of ~8% (NB the JS/Sinowal-Gen at ~2%).
Interesting over at Unmask Parasites. Blog. they also noticed this change.
It looks like this month my colleagues and I will be playing cat and mouse with the Gumblar team.