Threat actors are using the compromised infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S.
The threat actor behind this supply-chain attack (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that gets loaded by the news outlets' websites.
This malicious JavaScript file is used to install SocGholish, which will infect those who visit the compromised websites with malware payloads camouflaged as fake browser updates delivered as ZIP archives (e.g., Chromе.Uрdatе.zip, Chrome.Updater.zip, Firefoх.Uрdatе.zip, Operа.Updаte.zip, Oper.Updte.zip) via fake update alerts.
"Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners," Proofpoint's Threat Insight team
revealed today in a Twitter thread.
"By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish."
