SocGholish Drops JavaScript File from Compromised News Sites
SocGholish Drops JavaScript File from Compromised News Sites
Research from Proofpoint's Threat Research team and BleepingComputer has discovered the distribution of the SocGholish attack framework through compromised news media sites for drive-by-downloads. Proofpoint has tracked TA569 as the actor behind the activity, who have initiated a supply-chain attack by injecting malicious code into JavaScript files pulled by the websites of various news outlets. "Proofpoint observed TA569 injects within the assets of a media company used by multiple major news orgs. More than 250 regional/national newspaper sites have accessed the malicious Javascript. The actual number of impacted hosts is known only by the impacted media company." The major outlets impacted serval large markets such as New York, Chicago, Boston, Washington DC, and Miami. SocGholish continues its themes of fake updates with the initial zip payload named as an update for common browsers. "TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore, the presence of the payload and malicious content can vary from hour to hour and shouldn't be considered a false positive."