SocGholish Targets U.S News Sites in New Attack Campaign

Diving into details

• The threat actor is tracked as TA569 who removed and replaced JavaScript injects on an alternating basis. 
• The malicious payload has been accessed by over 250 regional and national newspaper sites. 
• The affected media organizations serve New York, Chicago, Miami, Boston, and others. 
• The malicious JavaScript launches SocGholish (FakeUpdates) that infects targets with malware payloads masquerading as fake browser updates. 

Why this matters

• TA569 has, in the past, deployed SocGholish on media assets, which can lead to potential ransomware attacks.
• Furthermore, researchers have observed the threat actor reinfecting the same assets just a few days after remediation. Hence, the situation should be closely monitored. 

SocGholish and ransomware attacks

• Microsoft observed FakeUpdates being disseminated via existing Raspberry Robin worm infection, with associations observed between Evil Corp and DEV-0206. 
• Last year, Proofpoint found SocGholish campaigns using website redirects and fake updates to infect users with ransomware payloads. 

Beware of these malware frameworks

• The new Alchimist C2 framework was found capable of targeting macOS, Windows, and Linux. The Alchimist attack framework offers less-advanced attackers to launch their own attacks with little to no effort.
• An attack framework, dubbed Manjusaka, can target both Linux and Windows. Cobalt Strike was used to deploy Manjusaka depending on the victim’s architecture. 

The bottom line