Modular Malware Boolka’s BMANAGER Trojan Exposed

Written by

Security researchers from Group-IB have unveiled the operations of a threat actor known as Boolka, whose activities involve deploying sophisticated malware and engaging in web attacks. 

According to an advisory published by the company on Friday, the group has been observed exploiting vulnerabilities through SQL injection attacks since 2022, targeting websites across various countries. The malicious scripts injected into these websites are designed to steal data by intercepting user inputs.

In January 2024, Group-IB analysts identified a landing page linked to Boolka’s operations, which distributed the BMANAGER modular Trojan. This discovery led to unmasking Boolka’s malware delivery platform, which leverages the BeEF framework. 

The platform uses a modified Django admin page, highlighting the technical prowess behind Boolka’s operations. The malicious JavaScript injected by Boolka captures user inputs from infected websites and exfiltrates sensitive information such as passwords and usernames back to the threat actor’s server.

The analysis also revealed Boolka’s dynamic approach to updating its scripts. In late 2023, its payloads were enhanced to include new checks and functionalities, such as creating hidden elements on web pages to evade detection.

Further investigation into Boolka’s infrastructure uncovered multiple domain names used for launching malware attacks. By March 2024, Boolka’s malware delivery platform was actively distributing the BMANAGER Trojan in the wild. This Trojan is notable for its modular design, enabling it to perform a range of malicious activities, including data exfiltration, keylogging and file stealing.

Read more on infostealers: Phemedrone Stealer Targets Windows Defender Flaw Despite Patch

The BMANAGER malware suite includes various components such as BMREADER, BMLOG, BMHOOK and BMBACKUP. Each module has a specific function, from logging keystrokes to stealing files, which collectively enhance the threat actor’s capability to extract valuable information from infected systems. 

According to Group-IB, the use of PyInstaller and Python 3.11 in creating these modules also indicates high levels of sophistication and customization in Boolka’s malware development capabilities.

To defend against the BMANAGER Trojan and similar threats, organizations should keep their systems and applications updated with the latest security patches, use advanced endpoint protection and antivirus solutions, monitor network traffic and employ intrusion detection systems, and educate employees about phishing and safe browsing practices.

What’s hot on Infosecurity Magazine?