According to cybersecurity firm Proofpoint, a cybercriminal organisation infiltrated a media content provider in order to spread malware on the websites of hundreds of news publications in the United States.
Proofpoint has identified the threat actors as “TA569,” who used the media organisation to disseminate SocGholish, a bespoke virus that has been active since at least 2018.
The media firm in issue has not been identified, but it has been contacted and is claimed to be investigating. Proofpoint’s vice president of threat research and detection, Sherrod DeGrippo, tells TechCrunch that the company delivers “both video content and advertising to big news publications.” DeGrippo went on to say that 250 national and regional newspaper websites in the United States are affected, including media companies in Boston, Chicago, Cincinnati, Miami, New York, Palm Beach, and Washington, D.C.
It’s unclear how the unidentified media organisation was hacked, but DeGrippo says TA569 “has a documented history of infecting content management systems and hosting accounts.”
The SocGholish virus is embedded into a harmless JavaScript file that is loaded by the websites of news providers, prompting the website visitor to download a bogus software update. The prompt in this campaign is in the form of a browser update for Chrome, Firefox, Internet Explorer, Edge, or Opera.
“If the victim downloads and runs this ‘fakeupdate,’ they will be infected with the SocGholish payload,” DeGrippo explained. “This attack chain necessitates end-user activity at two points: accepting the download and executing the payload.”
According to Proofpoint, SocGholish is a “initial access threat” that, if successfully planted, has traditionally functioned as a prelude to ransomware. According to the firm, the threat actors’ ultimate purpose is financial gain.
Proofpoint tells TechCrunch that it “assesses with high confidence” that TA569 is linked to WastedLocker, a ransomware strain manufactured by the US-sanctioned Evil Corp organisation. The business also stated that it does not think TA569 is Evil Corp, but rather operates as a middleman for the hacking gang.
It was disclosed earlier this year that Evil Corp employs a ransomware-as-a-service strategy to avoid US penalties. The gang was sanctioned in December 2019 for its substantial development of the Dridex virus, which it exploited to steal over $100 million from hundreds of banks and financial organisations.
