TeamHood 
Malicious actors are using the compromised infrastructure of an unknown media company to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S.
The threat actor TA569 is behind these attack which inject malicious codes in Java Script files of various media outlet websites. The users who will be visiting these malicious websites will also likely to get infected by the SocGholish. The malware will push fake browser updated to the website visitors (e.g. Oper.Updte.zip ,Operа.Updаte.zip,Chromе.Uрdatе.zip, Chrome.Updater.zip, Firefoх.Uрdatе.zip ).
Proof point threat intel team revealed today that “Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners,”
“By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish.”
In total, the malware has been installed on sites belonging to more than 250 U.S. news outlets, some of them being major news organizations, according to security researchers at enterprise security firm Proofpoint.
Proofpoint has previously observed SocGholish campaigns using fake updates and website redirects to infect users, including, in some cases, ransomware payloads.
The Evil Corp cybercrime gang also used SocGholish in a very similar campaign to infect the employees of more than 30 major U.S. private firms via fake software update alerts delivered via dozens of compromised U.S. newspaper websites.
The infected computers were later used as a stepping point into the employers’ enterprise networks in attacks attempting to deploy the gang’s WastedLocker ransomware.
Luckily, Symantec revealed in a report that it blocked Evil Corp’s attempts to encrypt the breached networks in attacks targeting multiple private companies, including 30 U.S. corporations, eight of them Fortune 500 companies.
