Popular news site rbc[dot]ua is currently hacked and infecting its visitors via the RIG exploit kit. The majority of the traffic to the site comes from Ukraine with over 6 million monthly visits, according to SimilarWeb.
This may sound familiar to some and it is indeed, as about a week ago Cyphort blogged about an identical incident.
RIG exploit kitLanding page:
The payload for this particular campaign is CryptoWall, a nasty strain of crypto ransomware that holds your files hostage. VT link.
You may have noticed that the URL for this payload is different than the one for the classic RIG EK. The domain and IP address (18.104.22.168) used for the landing page and Flash exploit are not the same for the dropped file (IP: 22.214.171.124).
Classic RIG EK:
Unusual RIG EK:
We have reached out to the Ukrainian site to let them know about this attack and hope they can fix the problem to prevent further infections.
Malwarebytes Anti-Exploit users were already protected against this drive-by download attack.