The threat actor known as TA569 has compromised the infrastructure of an undisclosed media company and is using this infrastructure to deploy the SocGholish JavaScript malware framework on the websites of hundreds of newspapers across the United States. While the exact number of compromised websites is unknown, more than 250 have been identified by Proofpoint and they noted that the attack has affected outlets based in New York, Boston, Chicago, Miami, and Washington D.C., among others. The media company in question is a firm that provides video content and advertising to major news outlets.
To carry out this campaign, TA569 injected malicious code into a benign JavaScript file that gets loaded by the compromised websites. This file was then used to install SocGholish, which infected those who visit the compromised websites with malware payloads camouflaged as fake browsers updates. These fake browser updates were delivered as ZIP archives in formats such as “Chrome.Update.zip” and “Firefox.Update.Zip” via fake alerts.
Similar campaigns using SocGholish have been seen from other threat actors in the past. For example, the Evil Corp cybercrime gang used SocGholish to infect over 30 U.S. private firms. This attack was also carried out through fake updates on compromised news websites with an end goal of ransomware deployment.
Analyst Notes
This campaign highlights the ever-growing threat of supply-chain attacks. Typically, when browsing a newspaper website, the end user feels as if the site is reputable and secure. Combining this with a fake update alert from SocGholish, many users may trust this alert and fall victim to the threat actor. This form of phishing, while it can be completed at a much smaller scale, is amplified by the undisclosed media company compromise, as it allows the actors to compromise hundreds of different websites at once.
As this campaign is coming from legitimate and reputable sites, detection is more difficult. In the past, recommended detections for SocGholish search for file creations in the format “x.Update.Zip” as well as monitoring common paths that this malware has been seen writing to. However, these could easily be changed by an attacker, so the best strategy would be to ensure that organizations are implementing a defense-in-depth strategy that would detect any post-exploitation activities that may be carried out by actors using SocGholish.
https://www.bleepingcomputer.com/news/security/hundreds-of-us-news-sites-push-malware-in-supply-chain-attack/
