A previously undocumented threat actor, now known as Boolka, has been detected compromising websites with malicious scripts to deliver a modular trojan called BMANAGER. “Since at least 2022, the threat actor behind this campaign has been conducting opportunistic SQL injection attacks against websites in various countries,” stated Group-IB researchers Rustam Mirkasymov and Martijn van den Berk in a report published last week. “Over the past three years, the threat actors have been infecting vulnerable websites with malicious JavaScript capable of intercepting any data entered on the compromised site.” The name Boolka originates from the JavaScript code embedded into the website, which communicates with a command-and-control server named “boolka[.]tk” whenever an unsuspecting visitor accesses the infected site.
This JavaScript is designed to gather and exfiltrate user inputs and interactions in a Base64-encoded format, suggesting its use to capture sensitive information like credentials and personal details. Additionally, it redirects users to a fake loading page, prompting them to download and install a browser extension. However, it actually deploys a downloader for the BMANAGER trojan, which then attempts to retrieve the malware from a hard-coded URL. The malware delivery system is based on the BeEF framework.
The trojan itself acts as a conduit to deploy four additional modules: BMBACKUP (which harvests files from specific paths), BMHOOK (which records running applications and those with keyboard focus), BMLOG (which logs keystrokes), and BMREADER (which exports stolen data). It also establishes persistence on the host using scheduled tasks.
“Most samples utilize a local SQL database,” the researchers noted. “The path and name of this database are hard-coded in the samples to be located at: C:\Users{user}\AppData\Local\Temp\coollog.db, with {user} being the username of the logged-in user.”
Boolka is the third actor, following GambleForce and ResumeLooters, to use SQL injection attacks for stealing sensitive data in recent months. From opportunistic SQL injection attacks in 2022 to developing their own malware delivery platform and trojans like BMANAGER, Boolka’s operations reveal increasingly sophisticated tactics over time,” the researchers concluded. “The injection of malicious JavaScript into vulnerable websites for data exfiltration, followed by the use of the BeEF framework for malware delivery, illustrates the progressive development of the attacker’s skills.“
