Heimdal
article featured image

Contents:

More than 250 regional and national US newspaper sites have fallen victim to a supply chain attack and are now spreading malware to their readers.

Researchers from the cybersecurity company Proofpoint discovered a malware distribution campaign deployed by a threat actor tracked as TA569, that targeted a media company in the US which owns hundreds of websites belonging to various newspapers.

The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States.

Source

SocGholish Malware

The sites affected by the supply-chain attack deliver their content to the readers using a benign JavaScript code, so the threat actor responsible for the attack has injected malicious code into the JavaScript file. Website visitors are prompted to download fake browser updates delivered as ZIP archives (e.g., Chromе.Uрdatе.zip, Chrome.Updater.zip, Firefoх.Uрdatе.zip, Operа.Updаte.zip, Oper.Updte.zip), when in fact they would be opening the door for the installation of SocGholish.

A report released in August determined that there have been 25,000 sites infected with the malware since January 2022 and 61,000 infected sites in 2021.

In the past, SocGholish, also known as FakeUpdates, has been linked to the cybercrime group Evil Corp. However, in a series of tweets, the researchers did not determine TA569 to be Evil Corp.

Ties to Ransomware Attacks

According to BleepingComputer, Proofpoint has observed SocGholish previous campaigns using fake updates and website redirects to deploy ransomware payloads, while the suspicion that Evil Corp might be responsible is not so far-fetched since the cybercrime gang also used SocGholish in a similar campaign targeting the employees of more than 30 major U.S. private firms via fake software update alerts delivered via dozens of compromised U.S. newspaper websites.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE