American news outlets hijacked to deliver SocGholish malware
Hundreds of news websites across the US have been compromised to deliver malware to their readers, researchers are saying.
Experts from Proofpoint discovered a malware (opens in new tab) distribution campaign that targeted an unnamed media company in the US which owns hundreds of websites belonging to various newspapers.
Allegedly, some of the sites are national, others are from New York, Boston, Chicago, Miami, Washington, D.C., and others.
Fake browser updates
In other words, website visitors would be prompted to download fake browser updates delivered as ZIP archives.
“The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States,” Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer.
“By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish.”
Proofpoint also said that SocGholish can be used to launch stage-two attacks, which could include ransomware infections, as well. It seems to be speaking from experience here, as Evil Corp, an infamous Russia-based threat actor, is known for using SocGholish in similar campaigns. It once even tried to deploy its WastedLocker ransomware, but was thwarted by Symantec.
In this particular situation, it seems that the attack is the work of a group tracked as TA569.
“The situation needs to be closely monitored, as Proofpoint has observed TA569 reinfect the same assets just days after remediation,” the researchers warned.