While the total number of infected sites remains unknown, researchers claim that they know of affected media organisations that include national news outlets from New York, Boston, Chicago, Miami and Washington DC among others.
Once loaded on the target site, the malicious file installs SocGholish which in turn infects visitors to the infected websites in the form of fake browser updates delivered as ZIP archives. These updates are delivered via fake pop-ups that ask the user to update their browser. Unsuspecting users that end up downloading these updates and installing them, unknowingly infect their machines with SocGholish.
The framework has also been used in the past by the Evil Corp group in a similar campaign that affected employees from over 30 major US firms using fake software update alerts delivered through compromised US news websites. These computers were later used to access the companies’ enterprise network to deploy the WastedLocker ransomware.