Hundreds of US news websites have been compromised to deliver malware to their readers, researchers say.
Proofpoint experts have discovered malware (opens in new tab) distribution campaign targeting an undisclosed US media company that owns hundreds of websites from various newspapers.
Reportedly, some of the sites are national, others are from New York, Boston, Chicago, Miami, Washington, DC, and others.
Fake browser updates
In other words, website visitors would be prompted to download fake browser updates that are delivered as ZIP archives.
“The media company in question is a company that provides both video content and advertisements to major news channels. [It] serves many different companies in different markets in the United States,” said Sherrod DeGrippo, VP of threat research and detection at Proofpoint. BleepingComputer.
“By modifying the codebase of this otherwise benign JS, it is now being used to deploy SocGholish.”
Proofpoint also said SocGholish could be used to launch second-stage attacks, including ransomware infections. It seems to speak from experience here as Evil Corp, a notorious Russia-based threat actor, is known for using SocGholish in similar campaigns. It even once attempted to deploy its WastedLocker ransomware, but was thwarted by Symantec.
In this particular situation, it appears that the attack is the work of a group being tracked as TA569.
“The situation needs to be monitored closely as Proofpoint has observed that TA569 reinfects the same assets just days after recovery,” the researchers cautioned.
- Here’s our roundup of the best firewalls (opens in new tab) available today
Via: BleepingComputer (opens in new tab)