A threat actor group tracked as TA569 by Proofpoint has distributed malicious JavaScript to more than 250 regional and national newspaper sites in the U.S. The malware supply-chain attack uses the compromised infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites. The compromised company provides both video content and advertising to major news outlets in markets across the country: Boston, New York, Chicago, Miami, Washington DC, Cincinnati and Palm Beach.
SocGholish infects devices that visit the compromised websites with malware payloads camouflaged as fake browser update alerts delivered as ZIP archives: Chromе.Uрdatе.zip, Chrome.Updater.zip, Firefoх.Uрdatе.zip, Operа.Updаte.zip, Oper.Update.zip.
Impact
Websites compromised with SocGholish HTML injections execute a series of logic checks to determine if the victim is eligible to be served a payload. The attackers frequently use various methods of tracking users to avoid duplicate infection and analysis, making incident response difficult. There are also multiple variations of SocGholish injections. Depending on the victim's location, operating system, IP address, browser and other tracking mechanisms, the malicious code may lead to a fake browser update/software update offer.
DXC perspective
Although detecting this malware threat is challenging, a secured infrastructure and robust cyber defense program can help guard against attacks.