SocGholish, aka FakeUpdates, malware framework is back in a new campaign targeting U.S. news sites, revealed Proofpoint in a series of tweets. The threat actor has infected the infrastructure of a media company that serves several news outlets, with SocGholish.
Diving into details
The threat actor is tracked as TA569 who removed and replaced JavaScript injects on an alternating basis.
The malicious payload has been accessed by over 250 regional and national newspaper sites.
The affected media organizations serve New York, Chicago, Miami, Boston, and others.
The malicious JavaScript launches SocGholish (FakeUpdates) that infects targets with malware payloads masquerading as fake browser updates.
Why this matters
TA569 has, in the past, deployed SocGholish on media assets, which can lead to potential ransomware attacks.
Furthermore, researchers have observed the threat actor reinfecting the same assets just a few days after remediation. Hence, the situation should be closely monitored.
SocGholish and ransomware attacks
Microsoft observed FakeUpdates being disseminated via existing Raspberry Robin worm infection, with associations observed between Evil Corp and DEV-0206.
Last year, Proofpoint found SocGholish campaigns using website redirects and fake updates to infect users with ransomware payloads.
Beware of these malware frameworks
The new Alchimist C2 framework was found capable of targeting macOS, Windows, and Linux. The Alchimist attack framework offers less-advanced attackers to launch their own attacks with little to no effort.
An attack framework, dubbed Manjusaka, can target both Linux and Windows. Cobalt Strike was used to deploy Manjusaka depending on the victim’s architecture.
The bottom line
Threat actors have diversified into delivering multi-stage payloads that often result in ransomware attacks. SocGholish has made hundreds of news sites push malware, infecting an unknown number of people across the U.S. Constant network monitoring is recommended.