Application Security and Online Fraud , Fraud Management and Cybercrime , Governance and Risk Management

Many threat groups now include this framework in their toolkits

Prajeet Nair (@prajeetspeaks) •
May 27, 2022

A growing number of malicious actors are using a free browser automation framework as part of their attack campaigns, security firm researchers say The Cymru team.

See also: A Guide to Passwordless Anywhere

Researchers say the technical entry bar for the framework is “deliberately kept low”, which has served to create an active community of content developers and contributors, with players in the underground economy announcing their time for creation custom tools. “The framework warranted further research due to the high number of distinct threat groups that include it in their toolkits,” the researchers say.

While investigating the command and control (C2) frameworks for the Bumblebee loader and the BlackGuard and RedLine rogues, the Cymru team observed a similar connection between the C2s and a tool repository called Bablosoft.

This is not the first time Bablosoft has been documented. It was previously identified during general research conducted by F5 Labs on credential stuffing attacks – and also during research conducted by NTT on the toolkit used by GRIM SPIDER.

“Based on the number of actors already using the tools offered on Bablosoft’s website, we can only expect to see BAS become a more common part of the threat actor’s toolkit,” the researchers say. .

BrowserAutomationStudio (BAS) is an automation tool from Bablosoft that allows users to create applications with browser, HTTP client, email client and other libraries.

“One of the reasons we expect to see more BAS is the Bablosoft community and the ease with which the software makes it possible to redistribute and sell work,” F5 Labs says in its credential stuffing report.

Researchers also uncovered an unofficial Telegram group, titled Bablosoft – BAS chat, with over 1,000 users. The researchers say this highlights the level of community activity around the tool.

Cymru researchers say the group appears to be used primarily by Russian speakers, to share updates on new features, scripts, and cheats.

Technical analysis

BAS tool capabilities include browser emulation, imitation of human behavior (keyboard and mouse), proxy support, a mailbox search function, and the ability to load data from of a file/URL/string, the researchers explain, adding that these features have attracted several operations from threat actors.

The services created include tailor-made scripts for BAS, for example to interact with the Telegram API, or the development of “bruters” and “recruiters”.

Bruters is software that performs the credential stuffing attack.

In C2s of Bumblebee, BlackGuard, and RedLine malware, researchers observed connections to downloads.bablosoft[.]com (resolution to 46.101.13.144). They assume that the threat actors were downloading tools to use in malicious activities. “Threat telemetry for this IP address provides insight into Bablosoft’s general user base, with the majority of activity coming from sites located in Russia and Ukraine,” the researchers explain.

Several BAS use cases were identified by researchers when analyzing the C2 BlackGuard and RedLine. Researchers have identified a “Gmail account checker” that they say threat actors could use to assess the validity of stolen credentials.

“While examining threat telemetry for other pieces of Bablosoft’s infrastructure, we identified several hosts associated with cryptojacking malware making fingerprint connections. bablosoft[.]com. The Fingerprint element of the BAS service allows users to change their browser’s fingerprint, a feature likely used by these particular actors as a way to anonymize or normalize their activity,” the researchers add.