Hundreds of US news sites hacked to send out malware

A white padlock on a dark digital background.
(Image credit:

Hundreds of news websites across the US have been compromised to deliver malware to their readers, researchers are saying. 

Experts from Proofpoint discovered a malware distribution campaign that targeted an unnamed media company in the US which owns hundreds of websites belonging to various newspapers. 

Allegedly, some of the sites are national, others are from New York, Boston, Chicago, Miami, Washington, D.C., and others. 

Fake browser updates

Overall, more than 250 websites owned by the company were hijacked to deliver the SocGholish JavaScript malware framework. These sites deliver their content to the readers via a benign JavaScript code. That code was hijacked to deliver what’s known as “initial access threat”, which pushes drive-by-downloads pretending to be software updates.

In other words, website visitors would be prompted to download fake browser updates delivered as ZIP archives.

"The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States," Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer.

"Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners," Proofpoint said in a Twitter post. 

"By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish."

Proofpoint also said that SocGholish can be used to launch stage-two attacks, which could include ransomware infections, as well. It seems to be speaking from experience here, as Evil Corp, an infamous Russia-based threat actor, is known for using SocGholish in similar campaigns. It once even tried to deploy its WastedLocker ransomware, but was thwarted by Symantec. 

In this particular situation, it seems that the attack is the work of a group tracked as TA569.

"The situation needs to be closely monitored, as Proofpoint has observed TA569 reinfect the same assets just days after remediation," the researchers warned. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.