Security researchers at Proofpoint have discovered threat actors using an already compromised network infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware also known as FakeUpdates on as many as 250 news outlet websites in the US.
While the total number of infected sites remains unknown, researchers claim that they know of affected media organisations that include national news outlets from New York, Boston, Chicago, Miami and Washington DC among others.
SocGholish or FakeUpdates is a malicious Javascript-based malware framework that has been in use since at least 2017. Once installed on the target system, it can install payloads including Remote Access Trojans (RATs), information stealers and Cobalt Strike beacons. It also acts as an intermediary step for threat actors in cases of targeted ransomware attacks.
The threat actor, tracked as TA569 by Proofpoint, injected malicious code in an otherwise non-harmful JavaScript file that’s loaded on the target websites. Since the aforementioned media company provides video content and advertising to these outlets, its network gives the threat actor direct access to the targets.
Once loaded on the target site, the malicious file installs SocGholish which in turn infects visitors to the infected websites in the form of fake browser updates delivered as ZIP archives. These updates are delivered via fake pop-ups that ask the user to update their browser. Unsuspecting users that end up downloading these updates and installing them, unknowingly infect their machines with SocGholish.
This isn’t the first thing TA569 has hijacked JavaScript files on a server to install SocGholish, nor this is the first time a threat actor has used this particular malware. Proofpoint has already observed TA569 deploying the malware using fake updates and website redirects to infect users, with ransomware payloads in some cases.
The framework has also been used in the past by the Evil Corp group in a similar campaign that affected employees from over 30 major US firms using fake software update alerts delivered through compromised US news websites. These computers were later used to access the companies’ enterprise network to deploy the WastedLocker ransomware.
In the News:Â PSVR2 is scheduled to launch on February 22, starting at $549.99