Threat Actors Exploiting Free Browser Automation FrameworkMany Threat Groups Now Include This Framework in Their Toolkits
An increasing number of threat actors are using a free-to-use browser automation framework as part of their attack campaigns, according to researchers at security firm Team Cymru.
The researchers say the technical entry bar for the framework is "purposefully kept low," which has served to create an active community of content developers and contributors, with actors in the underground economy advertising their time for the creation of bespoke tooling. "The framework warranted further research due to the high number of distinct threat groups who include it in their toolkits," the researchers say.
While investigating command-and-control, or C2, infrastructures for Bumblebee loader and BlackGuard and RedLine stealers, Team Cymru observed a similar connection from the C2s to a tool repository called Bablosoft.
This is not the first time that Bablosoft has been documented. It was identified during general research by F5 Labs into credential stuffing attacks - and also in research by NTT into the toolkit used by GRIM SPIDER.
"Based on the number of actors already utilizing tools offered on the Bablosoft website, we can only expect to see BAS becoming a more common element of the threat actor’s toolkit," the researchers say.
BrowserAutomationStudio, or BAS, is an automation tool from Bablosoft that allows users to create applications with a browser, HTTP client, email client and other libraries.
"One of the reasons we expect to see more of BAS is because of the Bablosoft community and how easy the software makes it to redistribute and sell work," F5 Labs says in its report on credential stuffing.
The researchers also uncovered an unofficial Telegram group, entitled Bablosoft - BAS chat, with a membership of more than 1,000 users. The researchers say that this highlights the level of community activity around the tool.
Cymru researchers say that the group appears to be used predominantly by Russian speakers to share updates on new features, scripts and tips.
The BAS tool's capabilities include browser emulation, mimicking human behavior - keyboard and mouse, proxy support, a mailbox search feature and the ability to load data from file/URL/string, the researchers say, adding that these features have attracted several distinct threat actor operations.
The services created include bespoke scripts for BAS, for example to interact with the Telegram API, or the development of "bruters" and "recruiters."
Bruters is software that performs the credential stuffing attack.
In the C2s for Bumblebee, BlackGuard and RedLine malware, the researchers observed connections to downloads.bablosoft[.]com - resolving to 220.127.116.11. They assume that the threat actors were downloading tools for use in malicious activities. "Threat telemetry for this IP address provides an insight into the general user base for Bablosoft, with the majority of activity coming from locations in Russia and Ukraine," the researchers say.
Several use cases for BAS were identified by researchers in the analysis of BlackGuard and RedLine C2s. The researchers identified a "gmail accounts checker" that they say the threat actors might use to assess the validity of stolen credentials.
"Whilst examining threat telemetry for other elements of the Bablosoft infrastructure, we identified several hosts associated with cryptojacking malware making connections to fingerprints.bablosoft[.]com. The Fingerprint element of the BAS service allows users to alter their browser fingerprint, a function likely used by these particular actors as a means of anonymizing or normalizing their activity," the researchers add.