An increasing number of threat actors are using a free-to-use browser automation framework as part of their attack campaigns say researchers at security firm Team Cymru.
The researchers say the technical entry bar for the framework is “purposefully kept low,” which has served to create an active community of content developers and contributors, with actors in the underground economy advertising their time for the creation of bespoke tooling. “The framework warranted further research due to the high number of distinct threat groups who include it in their toolkits,” the researchers say.
While investigating command and control (C2) infrastructures for Bumblebee loader and BlackGuard and RedLine stealers, Team Cymru observed a similar connection from the C2s to a tool repository called Bablosoft.
This is not the first time that Bablosoft has been documented. It was earlier identified during general research by F5 Labs into credential stuffing attacks – and also in research by NTT into the toolkit used by GRIM SPIDER.
“Based on the number of actors already utilizing tools offered on the Bablosoft website, we can only expect to see BAS becoming a more common element of the threat actor’s