The Ukrainian website is the 704th most popular website in Ukraine, according to Alexa. This exploit does not trigger every time the site is loaded, so there must be some logic that controls the schedule of when the malware redirection occurs.



Here is the full infection chain: 

 1 start
 3 payload<malware>


The website is redirecting to a Flash exploit CVE 2015-5122 hosted at . It is part of the RIG exploit kit.  The JavaScript code of this kit can detect the presence of some antivirus software on the system – see the code listing below (click to enlarge).

In this case malvertising was not involved, instead the site itself was compromised, specifically there is an injection with
<iframe src=”” width=”101″ height=”102″></iframe>

We reached out to UniCredit to notify them of this attack, but have not heard back so far.

Interestingly, this is not the only attack on a prominent Ukrainian website this week. We have seen the same attack, likely by the same group – on another high profile Ukrainian news site: , two days ago – on Jul 13 09:31 UTC time.  


RBC stands for RosBusinessConsulting, which is a large media group listed on russian stock exchange as RBCM . It has more than 1500 employees and revenue of  $81 million dollars. Here is the infection chain: 

 1 start
 2 payload<malware>


 RIG  exploit kit was also used in compromise.  RIG is a popular exploit kit which has been around for about a year and sold on various “underground” forums. See the screenshot below (from, click to enlarge).

Cyphort Labs is monitoring this campaign and analyzing the payload executable and will share more results as soon as they become available.