Boolka [1] [2] [3] [4] [5] [6], a threat actor known for conducting opportunistic SQL injection attacks against websites since at least 2022 [5], has evolved its operations to include a malware delivery platform utilizing the BeEF framework.
Description
Analysts discovered a landing page associated with Boolka’s operations distributing the BMANAGER modular Trojan in January 2024 [1]. This trojan [2] [3] [4] [5], with its modular design [1], enables various malicious activities such as data exfiltration [1], keylogging [1] [3] [4], and file stealing [1]. By March 2024 [1], the BMANAGER Trojan was actively being distributed in the wild [1]. The BMANAGER malware suite includes components like BMREADER [1], BMLOG [1] [2], BMHOOK [1] [2], and BMBACKUP [1] [2], each serving specific functions to enhance Boolka’s ability to extract valuable information from infected systems [1]. Boolka compromises websites with malicious scripts to deliver the BMANAGER trojan [3] [4] [5], which collects and exfiltrates user inputs and interactions [5]. The trojan serves as a conduit to deploy additional modules for data theft and sets up persistence on the host using scheduled tasks [5], showcasing Boolka’s increased sophistication over time [4]. Boolka conducts opportunistic SQL injection attacks against websites in various countries [3] [4], infecting them with JavaScript scripts that intercept user data [3] [4]. Victims are redirected to a fake loading page that prompts them to download a browser extension [3] [4], which actually installs the BMANAGER trojan [3]. Boolka’s activities pose significant threats to website owners and users through data breaches and financial losses [6], emphasizing the importance of implementing robust cybersecurity measures and collaborating with experts in the field. The efforts of cybersecurity researchers [6], such as those at Group-IB [6], are crucial in uncovering and documenting the activities of threat actors like Boolka [6], providing valuable insights to defend against cyber attacks [6]. Boolka is the third actor to steal confidential data using SQL injection attacks [2], following GambleForce and ResumeLooters [2].
Conclusion
Boolka’s activities highlight the urgent need for enhanced cybersecurity measures to protect against data breaches and financial losses. Collaboration with cybersecurity experts and continuous monitoring of website security are essential to mitigate the risks posed by threat actors like Boolka. The evolving tactics and sophistication of threat actors underscore the importance of staying vigilant and proactive in defending against cyber threats in the future.
References
[1] https://www.infosecurity-magazine.com/news/modular-malware-boolkas-bmanager/
[2] https://innovatopia.jp/cyber-security/cyber-security-news/33863/
[3] https://cybersocialhub.com/csh/new-cyberthreat-boolka-deploying-bmanager-trojan-via-sqli-attacks/
[4] https://www.redpacketsecurity.com/new-cyberthreat-boolka-deploying-bmanager-trojan-via-sqli-attacks/
[5] https://thehackernews.com/2024/06/new-cyberthreat-boolka-deploying.html
[6] https://www.krofeksecurity.com/index.php/2024/06/25/decoding-the-threat-unveiling-the-boolka-cyberthreat-and-bmanager-trojan-spread-through-sql-injection-attacks/
