A previously undocumented threat actor dubbed Boolka has been observed compromising websites with malicious scripts to deliver a modular trojan codenamed BMANAGER.
"The threat actor behind this campaign has been carrying out opportunistic SQL injection attacks against websites in various countries since at least 2022," Group-IB researchers Rustam Mirkasymov and Martijn van den Berk said in a report published last week.
"Over the last three years, the threat actors have been infecting vulnerable websites with malicious JavaScript scripts capable of intercepting any data entered on an infected website."
Boolka gets its name from the JavaScript code inserted into the website that beacons out to a command-and-control server named "boolka[.]tk" every time an unsuspecting visitor lands on the infected site.
The JavaScript is also designed to collect and exfiltrate user inputs and interactions in a Base64-encoded format, indicating the use of the malware to grab sensitive details like credentials and other personal information.
Furthermore, it redirects users to a bogus loading page that prompts victims to download and install a browser extension when, in reality, it drops a downloader for the BMANAGER trojan, which, in turn, attempts to fetch the malware from a hard-coded URL. The malware delivery framework is based on the BeEF framework.
The trojan, for its part, serves as a conduit to deploy four additional modules, including BMBACKUP (harvest files from particular paths), BMHOOK (record which applications are running and have keyboard focus), BMLOG (log keystrokes), and BMREADER (export stolen data). It also sets up persistence on the host using scheduled tasks.
"Most samples make use of a local SQL database," the researchers noted. "The path and name of this database is hard-coded in the samples to be located at: C:\Users\{user}\AppData\Local\Temp\coollog.db, with user being the username of the logged in user."
Boolka is the third actor after GambleForce and ResumeLooters to leverage SQL injection attacks to steal sensitive data in recent months.
"Starting from opportunistic SQL injection attacks in 2022 to the development of his own malware delivery platform and trojans like BMANAGER, Boolka's operations demonstrate the group's tactics have grown more sophisticated over time," the researchers concluded.
"The injection of malicious JavaScript snippets into vulnerable websites for data exfiltration, and then the use of the BeEF framework for malware delivery, reflects the step-by-step development of the attacker's competencies."