New Cyberthreat 'Boolka' Deploying BMANAGER Trojan via SQLi Attacks

A newly identified threat actor, dubbed Boolka, has been found compromising websites with malicious scripts to deliver a modular trojan known as BMANAGER.

According to Group-IB researchers Rustam Mirkasymov and Martijn van den Berk, "The threat actor behind this campaign has been conducting opportunistic SQL injection attacks on websites in various countries since at least 2022." This was detailed in a report published last week.

Over the past three years, these threat actors have been infecting vulnerable websites with malicious JavaScript capable of intercepting any data entered on the site.

The name "Boolka" comes from the JavaScript code inserted into the compromised websites. This code communicates with a command-and-control server at "boolka[.]tk" whenever a visitor lands on the infected site.

The JavaScript is designed to collect and exfiltrate user inputs and interactions in a Base64-encoded format, indicating the malware's purpose to capture sensitive details like credentials and other personal information.

Additionally, it redirects users to a fake loading page that prompts them to download and install a browser extension. In reality, this extension drops a downloader for the BMANAGER trojan, which then attempts to fetch the malware from a hard-coded URL. The malware delivery framework used is based on the BeEF framework.

SQL Injection Attacks

The BMANAGER trojan itself acts as a conduit to deploy four additional modules:

- BMBACKUP: Harvests files from specific paths.

- BMHOOK: Records which applications are running and have keyboard focus.

- BMLOG: Logs keystrokes.

- BMREADER: Exports stolen data.

It also establishes persistence on the host using scheduled tasks.

The researchers noted, "Most samples make use of a local SQL database. The path and name of this database are hard-coded in the samples to be located at: C:Users{user}AppDataLocalTempcoollog.db, with 'user' being the username of the logged-in user."

Boolka is the third actor, after GambleForce and ResumeLooters, to leverage SQL injection attacks to steal sensitive data in recent months.

"Starting with opportunistic SQL injection attacks in 2022, to developing their own malware delivery platform and trojans like BMANAGER, Boolka's operations show the group's tactics have become more sophisticated over time," the researchers concluded. "Injecting malicious JavaScript snippets into vulnerable websites for data exfiltration and using the BeEF framework for malware delivery reflects the step-by-step development of the attacker's skills."