Cyber

More than 250 newspaper sites across the US access malicious JavaScript in malware supply-chain attack

Editorial Desk
Editorial Desk

A threat actor known as TA569 by security experts at Proofpoint have created malicious JavaScript and distributed it to more than 250 regional and national newspaper sites in the US in a malware supply-chain attack

A large number of U.S. news sites have been infected with SocGholish JavaScript malware framework (known as FakeUpdates) due to the compromised infrastructure of an undisclosed media firm.

Security experts at enterprise security firm Proofpoint says 250 U.S. news sites have been infected by the malware.

The threat actor behind the supply-chain attacks (tracked by Proofpoint as TA569) injected malicious code into a benign JavaScript file and then gets loaded by the news outlets’ websites.

In a tweet thread, the Threat Insight unit said the media company that was serving as the host for this malicious code served content to its partners using JavaScript.

The affected media organisations served:

  • Boston
  • New York
  • Chicago
  • Miami
  • Washington DC
  • Cincinnati
  • Palm Beach

VP of threat research and detection at Proofpoint Sherrod DeGrippo, says the media company in affected is a firm that provides video and advertising content to major news outlets.

TA569 historically removed and reinstated these malicious JS [JavaScript] injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn’t be considered a false positive.” says Proofpoint.

According to the firm Red Canary SocGholish is an initial access threat that leverages drive-by-downloads masquerading as software updates.

In a post about the threat the firm said SocGholish relies on social engineering to gain execution, tricking unsuspecting users into running a malicious JavaScript payload stored within a downloaded ZIP file.

Those who visit compromised websites may be infected with malware payloads disguised as fake browser updates delivered as ZIP archives.

Examples of the devlivered ZIP archives as a result of the malicious JavaScript file are:

  • Chromе.Uрdatе.zip
  • Chrome.Updаte.zip
  • Firefoх.Uрdatе.zip
  • Operа.Updаte.zip
  • Oper.Updаte.zip

SocGholish, recently used to backdoor networks infected with the Raspberry Robin malware was recently used in what Microsoft described as Evil Corp pre-ransomware behavior.

ByEditorial Desk
The TBN team is a well establish group of technology industry professionals with backgrounds in IT Systems, Business Communications and Journalism.
Previous Article Game7 and MetaMask web 3 MetaMask Partners with DAO, Game7, to Develop the World’s First Web3-native Game Launcher
Next Article cash converters partners with Nexion Cash Converters partners with Nexion to upgrade its branch office and improve cybersecurity
Leave a Comment

Leave a Reply

U.S. news sites malware supply-chain attack

Tech Articles

Gmail AI is reading your emails — here is how to stop it

Your Gmail Account May Be Feeding Google’s AI—Here’s What You Need to Know

Your Gmail account may be contributing to Google’s AI systems…

How the World’s Data Centres Are Quietly Burning the Planet

Data centres are burning the planet, with a growing environmental…

Chatbots Condemning Children To Antisocial Behaviour?

Are Chatbots Condemning Children To Antisocial Behaviour?

Are Chatbots Condemning Children To Antisocial Behaviour? Not by default…

Recent News