The State Law Enforcement Division (SLED) is warning that a number of news websites across the State using the “HereCity” platform have been hacked and contain a malicious JavaScript.
HereCity is a private company that builds and operates local news websites for communities across the United States under the naming convention here[cityname].com – (e.g., herecolumbia[.]com, herecharleston[.]com).
The sites are built on WordPress and are search engine optimized, meaning they frequently appear near the top of Google results when users search for local news.
While this bulletin focuses on the confirmed compromised sites serving South Carolina communities, the majority of HereCity’s broader network of sites also appear to be compromised and should be treated with caution regardless of state.
The attacker injected malicious JavaScript into each compromised site. When a user visits one of these pages, the script displays a fake browser error or CAPTCHA prompt instructing them to copy and paste a command into their Windows Run dialog (Win+R).
If the user complies, the command silently downloads and executes a PowerShell payload in the background with no further warning. The user’s machine is then compromised.
The malicious script is being served from ewar4pres[.]com and the payload is delivered through road-to-hell[.]top. Both domains should be treated as malicious infrastructure.
Recommended Actions –
Block all known compromised South Carolina-based sites and associated malicious infrastructure at the DNS and perimeter firewall levels;
Search endpoint and proxy logs for any connections to either domain, a hit may indicate a user visited a compromised site or worse, executed the payload;
Look for PowerShell processes launched with hidden window flags (-w h or WindowStyle Hidden) that spawned from a browser process, this is a strong indicator of execution;
Remind users – no legitimate website will ever ask them to run a command on their computer.
This product is marked TLP:GREEN. The information in this product may be shared with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Known Compromised South Carolina Based Sites include:
hereaiken[.]com; herebeaufort[.]com; herechapin[.]com; herecharleston[.]com; hereclinton[.]com; herecolumbia[.]com; hereflorence[.]com; heregreenville[.]com; heregreenwood[.]com; herehiltonhead[.]com; hereirmo[.]com; herelexington[.]com; heremyrtlebeach[.]com; herenewberry[.]com; hererockhill[.]com; herespartanburg[.]com
Malicious Infrastructure includes: ewar4pres[.]com; road-to-hell[.]top; expertlearninghub[.]com
If you need assistance, have questions about our services, or need to report a cyber incident, please contact us at 803-896-8081 or at cyber@sled.sc.gov. For more information on the Traffic Light Protocol, visit first.org/tlp/. Also, please take a moment to fill this brief feedback form: forms.office.com/g/W65VjY7ACh. Ongoing feedback gives SLED the ability to maintain the highest level of information sharing possible and ensure the intelligence you receive is helpful.
