Hackers are distributing the SocGholish JavaScript malware framework (also known as FakeUpdates) through the compromised infrastructure of an undisclosed media company.
It is a firm that provides both video content and advertising to major news outlets, according to the media company in question. According to Sherrod DeGrippo, VP of Threat Research and Detection at Proofpoint, “[It] serves many different companies in different markets across the United States,”
It appears that the threat actor responsible for the supply-chain attack (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that is loaded by the websites of the media outlets.
Malicious JavaScript File – Attacks Again After Remediation
SocGholish is installed by this malicious JavaScript file, which infects people who visit compromised websites with malware payloads disguised as fake browser updates that are delivered via fake update alerts (e.g., Chrome.Urdate.zip, Chrome.Updater.zip, Firefokh.Urdate.zip, Opera.Update.zip, Oper.Updte.zip).
In a twitter threat, Proofpoint’s Threat insight stated: “Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners,”
“By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish.”
More than 250 U.S. news outlets have been affected by the malware, including major news outlets, according to security researchers at Proofpoint.
There is no exact number of affected news organizations, but Proofpoint says it knows of affected media organizations (including national news outlets) in New York, Boston, Chicago, Miami, and Washington, D.C.
Another important thing to note about this particular attack is that it’s known to attack again as soon as the first attack is remediated. Security researchers at Proofpoint noted this by saying: “The situation needs to be closely monitored, as Proofpoint has observed TA569 reinfect the same assets just days after remediation.”
