Free-to-use browser automation framework creates thriving criminal community
Summary
Evidence suggests an increasing number of threat actor groups are making use of a free-to-use browser automation framework. The framework contains numerous features which we assess may be utilized in the enablement of malicious activities.
The technical entry bar for the framework is purposefully kept low, which has served to create an active community of content developers and contributors, with actors in the underground economy advertising their time for the creation of bespoke tooling.
The framework warranted further research due to the high number of distinct threat groups who include it in their toolkits.
Introduction
During three recent (and separate) investigations into command and control (C2) infrastructure for Bumblebee loader, and BlackGuard and RedLine stealers, our analysts observed connections from the C2s to a tool repository / marketplace called Bablosoft.
Looking into open-source reporting, we found that other vendors had previously come across Bablosoft in their investigations:
General research by F5 Labs into credential stuffing attacks
Research by NTT into the toolkit utilized by GRIM SPIDER
In this blog post, we will examine Bablosoft in further detail, providing our hypotheses on the threat actor use cases for the tools on offer, and highlighting links to other threat activity.
Bablosoft
Insight from Open Source
References to Bablosoft first appeared within public forums during late 2016, when the ‘main’ developer – who goes by the moniker Twaego – posted about the release of a tool entitled BrowserAutomationStudio (BAS).
As can be discerned from the advert, the purpose of BAS is to provide users with an easy-to-use framework for the creation of bots, including “spammers” and a “credentials checker”.
Reviewing this and other public threads on BAS / Bablosoft, it is clear the tool was well received by the community, for several reasons:
The tool is free – although a premium version with additional features is available
The developer (Twaego) actively works on community feedback/requests to improve the tool
Users can share applications/scripts through the Bablosoft community page
The postings also provided further insight into some of the tool’s capabilities; browser emulation, mimicking of human behavior (keyboard and mouse), proxy support, a mailbox search feature, and the ability to load data from file/URL/string. Features which have caught the eye of several distinct threat actor operations.
In underground forums we have identified users ‘offering their services’ for the creation of bespoke scripts for BAS, for example to interact with the Telegram API, or the development of “bruters” and “recruiters”.
In the post above, the user BasCoder provides an overview of a business-like service, inclusive of a ‘free consultation’, with projects priced from $20 depending on scale. We identified a ‘thank you’ post from another user who appeared to have used BasCoder’s services for a BAS-related project.
The customer in this case, a user called n1ppyyy, is a now-banned but formerly active member of the XSS forum who engaged in numerous topics indicative of an interest or involvement in malicious activity.
Insight from Threat Telemetry
In the cases of the Bumblebee, BlackGuard and RedLine C2s, we observed connections to downloads.bablosoft[.]com (resolving to 46.101.13.144). Threat telemetry for this IP address provides an insight into the general user base for Bablosoft, with the majority of activity coming from locations in Russia and Ukraine (based on WHOIS information).
As for Twaego (the ‘owner’ of Bablosoft), their profile summary indicates they are from Kiev, Ukraine.
We were able to corroborate this information based on management activity to several elements of the Bablosoft infrastructure, sourced from a single Ukrainian-assigned IP address. In addition, the IP was also involved with management connections to a number of hosts on TCP/27017 – commonly associated with MongoDB.
Malicious Use Cases
As previously highlighted, we observed the Bumblebee, BlackGuard and RedLine C2 IPs connecting to the ‘downloads’ subdomain of bablosoft[.]com, with the assumption that the operators were downloading tools for use in threat activities.
For the BlackGuard and RedLine C2s there are several use cases for BAS which may be applicable. For example, we identified a ‘gmail accounts checker’ which the threat actors might utilize for assessing the validity of stolen credentials.
Whilst examining threat telemetry for other elements of the Bablosoft infrastructure, we identified several hosts associated with cryptojacking malware making connections to fingerprints.bablosoft[.]com. The Fingerprint element of the BAS service allows users to alter their browser fingerprint, a function likely used by these particular actors as a means of anonymizing or normalizing their activity.
Conclusion
Based on the number of actors already utilizing tools offered on the Bablosoft website, we can only expect to see BAS becoming a more common element of the threat actor’s toolkit. As referenced by F5 Labs in their report on credential stuffing – “One of the reasons we expect to see more of BAS is because of the Bablosoft community and how easy the software makes it to redistribute and sell work.”.
An “unofficial” Telegram group, entitled Bablosoft – BAS chat (BABLOSOFT – ЧАТ ПО БАСУ), retains a membership of over 1,000 users, further highlighting the level of community activity around the tool. This group appears to be used predominantly by Russian speakers, to share updates on new features, scripts and tips.
IOCs
Bumblebee C2:
45.147.229.177
BlackGuard Panel C2:
185.173.157.26
RedLine Controller C2:
91.243.59.61