An undisclosed media organization serving Boston, New York, Chicago, Miami, and other major cities has been hit by cybercriminals who are deploying malware on more than 250 newspaper websites, Proofpoint Threat Research reported on Twitter.
Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via #Javascript to its partners. By modifying the codebase of this otherwise benign JS, it is now used to deploy #SocGholish.
— Threat Insight (@threatinsight) November 2, 2022
Proofpoint has identified the bad actor as TA569. The attack vector injects malicious code into a benign JavaScript file that in turn is picked up and installed to the websites of affected news outlets.
The affected file then installs SocGholish, and anyone who visits the attacked websites will encounter fake browser updates filled with hidden malware payloads.
The media company in question supplies video content and advertising to major news outlets via JavaScript.
For more information on SocGholish, also known as FakeUpdates, and other malware attacks, Proofpoint offered this threat insight in June 2021.