U.S News Websites Delivering Malware Through Compromised Third-Party JavaScript Code

A media company that provides video content and advertising on the websites of major news outlets in the United States has been compromised, and its infrastructure is being used to push the SocGholish JavaScript malware framework out to hundreds of newspapers in the United States. According to cybersecurity firm Proofpoint, more than 250 U.S. news outlets have had the malicious code intermittently displayed on their websites. Some of the sites displaying the malicious ads are national news outlets. The exact number of affected news outlets is not yet known.

The malware framework, also known as Fake Updates, has been loaded into a JavaScript file that is sent to the websites of the news outlets. The JavaScript code is normally benign but has been modified to deliver adverts that attempt to install SocGholish malware on the devices of visitors to those websites. The malicious adverts display warnings alerting visitors that their web browsers need to be updated, and if clicked, a file download is triggered. The downloaded .zip file includes an executable file that installs the malware payload. The zip files are named based on the user’s browser, such as Chromе.Uрdatе.zip, Chrome.Updater.zip, Firefoх.Uрdatе.zip, Operа.Updаte.zip, or Oper.Updte.zip.

SocGholish is used to gain initial access to devices and has been actively used since at least April 2018. The SocGholish threat actor, tracked as TA569 by Proofpoint, primarily delivers the malware through compromised websites masquerading as software updates. SocGholish has been linked to the Russian cybercriminal group, Evil Corp. In previous campaigns, infected devices have had secondary malware payloads delivered, including NetSupportRAT, BLISTER malware, Raspberry Robin malware, and Cobalt Strike, with the latter leading to WastedLocker ransomware attacks.

Proofpoint said previous attacks involving compromised websites have seen the websites reinfected shortly after remediation, so the situation needs to be closely monitored. A similar SocGholish campaign was conducted in 2021 which saw the malware framework added to the websites of dozens of news outlets, resulting in the malware being downloaded by more than 30 major U.S. firms. In those attacks, WastedLocker ransomware was deployed.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news