Hello, welcome to the Friday, August 19th, 2016 edition, the Sands and its Storms Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Stockholm, Germany.

Brad came across an interesting case that he documented in a diary in which one compromised website

was used to spread two different exploit kits, one via the pseudo

darkleash script and a second one via an injected EITES script.

Now it's not uncommon to find that vulnerable websites are compromised multiple times, but in

this case literally the

exploit JavaScript was right after each other for these typically competing

with each other malware campaigns not really clear whether this was the same

individual that set up these two links but that's probably the most likely

explanation in this case because what we have typically seen in other cases is that particular

pseudo dark leach will prevent any other exploit kit from running on the same page either way

you'll either end up with the Cripmic Ransomere

or with something that Pratt believes was Wattrack variant.

That's essentially just a troach that will wait for further instructions down the road.

So really just more persistence mechanism.

The possible advantage for the attacker is that they will of course get users that are

vulnerable to either of the exploits being used here but that comes at a cost in

that it's more likely for the exploits to get detected and the user

will not even load the page and Brad actually shows how his snort install did

trigger on these particular exploit kits and then we have first winter

bulletins trickling in regarding the release of the equation crew

...