Threat Actors Exploiting Free Browser Automation Framework

Governance & Risk Management , Identity & Access Management , Security Operations

Many Threat Groups Now Include This Framework in Their Toolkits Prajeet Nair (@prajeetspeaks) • May 27, 2022     Example of a BAS Gmail Checker Tool (Source: Team Cymru)

An increasing number of threat actors are using a free-to-use browser automation framework as part of their attack campaigns say researchers at security firm Team Cymru.

See Also: Panel Discussion | Practical Viewpoints: Global IT Security Compliance in 2022

The researchers say the technical entry bar for the framework is “purposefully kept low,” which has served to create an active community of content developers and contributors, with actors in the underground economy advertising their time for the creation of bespoke tooling. “The framework warranted further research due to the high number of distinct threat groups who include it in their toolkits,” the researchers say.

While investigating command and control (C2) infrastructures for Bumblebee loader and BlackGuard and RedLine stealers, Team Cymru observed a similar connection from the C2s to a tool repository called Bablosoft.

This is not the first time that Bablosoft has been documented. It was earlier identified during general research by F5 Labs into credential stuffing attacks – and also in research by NTT into the toolkit used by GRIM SPIDER.

“Based on the number of actors already utilizing tools offered on the Bablosoft website, we can only expect to see BAS becoming a more common element of the threat actor’s

Read more

Explore the site

More from the blog

Latest News