The source writes that the researchers tracked the hackers group behind these attacks under the identifier TA569. However, it is not clear whether this is a well-known group that has been in the news before, or someone new.

what is known

The hackers injected their code into a harmless JavaScript file uploaded to news feed sites. This file is then used to install the SocGholish JavaScript framework (also known as FakeUpdates) that infects visitors to compromised sites (e.g. Chrome.Urdate.zip, Chrome.Updater .zip) disguised as fake browser updates distributed as ZIP archives. . , Firefox.Urdate.zip, Opera.Update.zip).

The media company in question is a company that provides both video content and advertising to major news agencies. It serves many different companies in different markets in the United States,
Sherrod DeGrippo, vice president of research and threat detection at Proofpoint, who discovered the systematic injection of new code explains.

According to analysts, in total Malware uploaded to over 250 US news agency sites. Some of them are large and well-known organizations, but the names of the affected sources were not disclosed. While the total number of victims of the virus is unknown, Proofpoint says these include prominent publications in New York, Boston, Chicago, Miami, Washington, DC and more.

It is worth noting that SocGholish was previously used by the well-known Russian-speaking group Evil Corp.. The current campaign is very similar to a similar campaign discovered in 2020. Evil Corp then spread the virus using fake software update alerts sent through dozens of compromised US newspaper sites. Machines infected in this way were then used as entry points into corporate networks where attackers distributed WastedLocker ransomware.