South Korean websites targeted in new watering hole attack campaign dubbed ‘Soula’

• The campaign is aimed at stealing users credentials.
• A total of four websites have been identified to be injected with malicious JavaScript code.

Several South Korean websites have been found to be compromised in a new watering hole phishing campaign. The campaign is aimed at stealing users credentials.

What is this campaign - Researchers from Trend Micro have observed a significant attack campaign targeting South Korean websites. Dubbed as ‘Soula’, the attack leverages the watering hole technique to infect the websites.

A total of four websites have been identified to be injected with malicious JavaScript code. The malicious code includes code for browser exploits and financial information skimmers. The first compromised site was observed on March 14, 2019.

How does it work - The cybercriminals behind the attack harvest information by spoofing the login screen of the compromised websites. Once the data is gathered from victims’ machines, it is sent to a collection server that is controlled by the attackers.

In order to trick the users into providing their login details, the malware scans the HTTP referer header string and checks if it contains keywords related to popular search engines and social media sites.

“The injected script profiles the website’s visitors and loads the phishing forms on top of the main pages. It scans the HTTP referer header string and checks if it contains keywords related to popular search engines and social media sites to authenticate that the visitor is real,” the researchers wrote in a blog post.

“Since the HTTP referer identifies the address webpage of the source to the requested page, this check makes it easier to identify the visitor as a real user if the request comes from one, as well as filter out bot crawlers or threat engine scanners.”

Using CloudFlare for domain protection - The interesting part of the campaign is that malware remains in the background and does not load the spoofed login form until the user has visited the compromised site six times. This enables the malware to steal the users’ cookies. The malware also uses CloudFlare to protect their domains or IP addresses from being detected. Trend Micro has notified CloudFlare about the issue.

It is believed that a Chinese APT group is behind the attack as the code is written in the same language.