Crime group hijacks hundreds of US news websites to push malware
A cybercriminal group has compromised a media content provider to deploy malware on the websites of hundreds of news outlets in the U.S., according to cybersecurity company Proofpoint.
The threat actors, tracked by Proofpoint as “TA569,” compromised the media organization to spread SocGholish, a custom malware active since at least 2018.
The media company in question is not named, but was notified and is said to be investigating. Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, tells TechCrunch that the organization provides "both video content and advertising to major news outlets." DeGrippo added that 250 U.S. national newspaper sites and regional websites are affected, including media organizations serving Boston, Chicago, Cincinnati, Miami, New York, Palm Beach and Washington, D.C.
It’s unclear how the unnamed media company was compromised, but DeGrippo added that TA569 “has a demonstrated history of compromising content management systems and hosting accounts.”
News of the site hijackings were first tweeted out Wednesday.
Proofpoint observed TA569 injects within the assets of a media company used by multiple major news orgs. More than 250 regional/national newspaper sites have accessed the malicious Javascript. The actual number of impacted hosts is known only by the impacted media company.
— Threat Insight (@threatinsight) November 2, 2022
The SocGholish malware is injected into a benign JavaScript file that is loaded by the news outlets' websites, which prompts the website visitor to download a fake software update. In this campaign, the prompt takes the form of a browser update for Chrome, Firefox, Internet Explorer, Edge or Opera.
“If the victim downloads and executes this ‘fakeupdate’ they will be infected by the SocGholish payload,” said DeGrippo. “This attack chain requires interaction from the end user at two points: accepting the download and executing the payload.”
SocGholish serves as an “initial access threat,” which if successfully planted have historically served as a precursor to ransomware, according to Proofpoint. The threat actors' end goal, the company says, is financial gain.
Proofpoint tells TechCrunch that it “assesses with high confidence” that TA569 is associated with WastedLocker, a variant of ransomware developed by the U.S.-sanctioned Evil Corp group. The company added that it does not believe TA569 is Evil Corp but rather acts as a broker of already-compromised devices for the hacking group.
It was revealed earlier this year that Evil Corp uses a ransomware-as-a-service model in an effort to skirt U.S. sanctions. The gang was sanctioned December 2019 due to its extensive development of Dridex malware, which the gang used to steal more than $100 million from hundreds of banks and financial institutions.
