SocGholish malware is targeting 250 US news outlets, can deploy ransomware

Cyber criminals are using the compromised infrastructure of an anonymous publisher to deploy the SocGholish malware framework on 250+ US-based newspaper websites.

“The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States,” said Sherrod DeGrippo, VP of threat research and detection at Proofpoint.

TA569 and their SocGholish malware

The hacking group behind this supply-chain attack as per Proofpoint seems to be TA569 has a malicious code that is injected into the JavaScript file and gets loaded by the news website.

The malicious JS file is used to deploy the SocGholish malware, and will affect those that visit those compromised websites.  The malware will be disguised as fake browser updates in ZIP files and appear as update/alerts.

“Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners,” tweeted Proofpoint’s Threat Insight team.

As per Proofpoint report, around 250+ US news websites have been affected by this malware, with some of those new sites being the major news broadcasters. This includes news broadcasters from New York, Washington D.C, Chicago, Boston and more.

“TA569 has previously leveraged media assets to distribute SocGholish malware, and this malware can lead to follow-on infections, including potential ransomware,” said DeGrippo.

SocGholish have always had a successor and Proofpoint is continuously monitoring the TA569 and their activities online, a potential aftermath of SocGholish is expected.

SocGholish malware and its history

Proofpoint has already observed SocGholish campaigns that makes use of fake updates and websites to affect end-users, including ransomware payloads.

The same SocGholish malware has been involved in targeting US private firms via fake software updates and compromised them. After infecting the targeted devices, the SocGholish entity leverages those devices as stepping stones to organization’s critical networks and then deploy WastedLocker ransomware.

With the right entry of Symantec and their security operations team the SocGholish malware and its attempt to encrypt the network was stopped.

Only recently we saw another malware called ‘Bumblebee’ that is capable of being stealthy and deploying ransomware into the targeted network. All these malware and their maneuvers are only reaching to that one ambition of deploying ransomware into the infected network.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.