Figure 1. Soula’s attack chain.
The script then scans for the HTTP User-Agent header for strings such as iPhone, iPad, iPod, iOS and Android to identify the device used by the user as desktop or mobile, which allows it to deliver the respective phishing forms to the victim. Mobile users will see the fake login form pop-up only after clicking any button on the compromised websites. To mask the malicious routine, it only enables the pop-up to appear after the sixth time the victim visits the websites, setting a cookie to count the number of visits. The cookie is also set to expire after two hours since the last pop-up.
Figure 2. Injected script to check HTTP Referer and HTTP User-Agent.
If the device has none of the strings listed, Soula assumes that the user is visiting the website using a desktop computer. Users will see the fake login form directly on top of the compromised webpage, asking the user to input their username and password before they can continue visiting the site. The user information is directly sent to the attackers’ servers. To prevent attack suspicions from the website, the phishing script sets a browser cookie to the devices that received the phishing forms that enables the fake login to expire 12 hours after the initial interaction.
Figure 3. Comments in Simplified Chinese.
Figure 4. The original script injected in the compromised website vs. the injected script after obfuscation.
Considering that one of the compromised websites are among the country’s top 300 most-visited sites, and that the search engine hosts a variety of services for its South Korean customers as a trusted site, Soula is a significant threat to both enterprises and users as it exposes user credentials on a number of platforms. Further, the content string it searches for and connects to may indicate cybercriminals’ possible plans to develop this to a bigger campaign that could affect more people worldwide.
While this technique can be more difficult to trace compared to socially engineered phishing attacks, endpoint users can still protect themselves by enabling a multi-layered defense system that allows detection, scanning and blocking of malicious URLs and pop-ups. Users should also enable additional authentication measures such as 2FA whenever possible. Security administrators are advised to download updates as soon as patches are available from legitimate vendors, and enable Content Security Policy to prevent unauthorized access and use of exploits for remotely injected scripts.
Trend Micro solutions
Indicators of Compromise
Listed below are the Soula phishing script hashes detected as Trojan.HTML.PHISH.TIAOOHDW:
Listed below are the phishing domains: