News Websites Deliver SocGholish

10872439077?profile=RESIZE_400xHundreds of regional and national news websites in the United States are delivering malware because of a supply chain attack involving one of their service providers. Cybersecurity researchers reported on 02 November 2022 that a threat actor it tracks as TA569 appears to be behind the attack.  The hackers have targeted an unnamed media company that serves many news outlets in the US.

The service provider delivers content to its partners via a JavaScript file.  The attacker modified the noted codebase of that script to push a piece of malware known as SocGholish to the affected news websites’ visitors.  SocGholish is an attack framework that malicious actors have used since 2020.  The term Soc refers to using social engineering to deploy malware on systems.   SocGholish operators host a malicious website that implements a drive-by-download mechanism, such as JavaScript code or uniform resource locator (URL) redirections, to trigger the download of an archive file that contains malware.[1]

The website displays content that might lure end-users, such as critical browser updates.  To infect the system, an end-user must manually decompress the archive file and execute the malware by double-clicking.  An infection with SocGholish may result in deploying the Cobalt Strike framework and ransomware.

Zloader is a malware primarily designed to steal credentials and sensitive data. Still, it also has backdoor capabilities and can act as a malware loader to deliver further malware on compromised systems.  For example, in the past, Zloader distributed the destructive Egregor and Ryuk ransomware.  First discovered in 2016, Zloader is under continuous development. Recent versions feature detection evasion capabilities, such as disabling Windows Defender and using living-off-the-land executables to conduct malicious activities.  In the past, malicious actors have distributed the Zloader malware as malicious attachments to emails.

Between December 2021 and October 2022, cyber threat investigators have observed an increase in the number of attacks involving SocGholish and Zloader.  In the attacks involving Zloader, malicious actors had distributed Zloader to systems through malicious websites with malware masquerading as an installer of popular applications, such as TeamViewer.

More than 250 news sites are impacted, including Boston, New York, Chicago, Washington DC, Miami, Palm Beach, and Cincinnati.  The actual number of victims could be higher.

TA569 historically removed and reinstated these malicious JS injects on a rotating basis.  Therefore, the presence of the payload and malicious content can vary from hour to hour and should not be considered a false positive.

SocGholish, also known as FakeUpdates because it’s often delivered as fake browser updates, has been around since at least 2017.  Web security firm Sucuri reported in August 2022 that it had seen 25,000 sites infected with the malware since the beginning of January and 61,000 infected sites in 2021.  SocGholish is a JavaScript malware framework, and it has been linked by some to the notorious Russian cybercrime group named Evil Corp (ala Indrik Spider and TA505).  Researchers do not believe TA569, which has been around since at least the end of 2016, is actually Evil Corp.



Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.    For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings  



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance