A threat group named TA569 has been using US news websites to launch what was named SocGholish Malware on their visitors’ systems, found researchers. The group has infected over 250 news websites from the United States of America with SocGholish Malware. However, the actual number is expected to be higher than that, according to researchers at Proofpoint.
How the SocGholish malware was employed?
The SocGholish malware the scammers used to deploy cyberattacks on the visitors’ devices is also called the FakeUpdates malware. This is because the visitors to the news websites were being shown a message asking them to update their browsers using ZIP archives that were actually malware payloads camouflaged as browser updates. Some of the ZIP archives found were:
- Update.zip and
A series of tweets by Proofpoint’s threat insight team stated that intermittent injections on a media company were observed, and pointed to the malicious JS injecting on a rotating basis. “TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore, the presence of the payload and malicious content can vary from hour to hour and shouldn’t be considered a false positive,” said a tweet. The infection would take place after the malicious payloads were downloaded by unsuspecting visitors of the news websites.
— Threat Insight (@threatinsight) November 2, 2022
How the media company’s systems were breached is not known yet, Proofpoint Vice President Sherrod DeGrippo told TechCrunch. The list of 250 U.S. newspaper sites that SocGholish Malware infected include many regional titles that served cities including Boston, Chicago, Cincinnati, Miami, New York, Palm Beach, and Washington DC.
TA569 group has been impacting the security of content management systems and hosting accounts since 2016. The group has been associated with several attacks and groups like Evil Corp. Moreover, the SocGholish Malware was also found to be used by the Russian Evil Corp group in the past in similar campaigns infecting via fake software update alerts.