If you've read this blog at all lately, you'll no doubt have read the previous blog entries I've made concerning this, and hillariously, they're still trying - evidently not realising their attempts aren't going to work.
The latest attempt comes from 201-92-227-227.dsl.telesp.net.br (IP: 18.104.22.168), and is in the same form as previously;
The part we're interested in, as before, is the Hex between CAST( and %20AS%20VARCHAR (%20 is the space character, so this translates to AS VARCHAR). This code translates this time to;
This shows us they've got another URL, pormce.ru. If we run this through vURL we see;
Which is the usual obfuscation rubbish we're used to, and it's very easily decoded using Malzilla;
This shows us another URL, this time pointing to deryv.ru. This script contains two more scripts that I've not decoded yet, but they're very similar to the previous Asprox injections.