# Bablosoft; Lowering the Barrier of Entry for Malicious Actors **[team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/](https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/)** S2 Research Team View all posts by S2 Research Team May 25, 2022 ## Summary Evidence suggests an increasing number of threat actor groups are making use of a free-touse browser automation framework. The framework contains numerous features which we assess may be utilized in the enablement of malicious activities. The technical entry bar for the framework is purposefully kept low, which has served to create an active community of content developers and contributors, with actors in the underground economy advertising their time for the creation of bespoke tooling. The framework warranted further research due to the high number of distinct threat groups who include it in their toolkits. ## Introduction During three recent (and separate) investigations into command and control (C2) infrastructure for [Bumblebee loader, and](https://www.securityweek.com/new-bumblebee-malware-loader-used-several-cybercrime-groups) [BlackGuard and](https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking) [RedLine stealers, our analysts](https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign) observed connections from the C2s to a tool repository / marketplace called Bablosoft. **Figure 1:** **Overview of Observed Relationships** ----- Looking into open-source reporting, we found that other vendors had previously come across Bablosoft in their investigations: [General research by F5 Labs into credential stuffing attacks](https://www.f5.com/labs/articles/threat-intelligence/2021-credential-stuffing-report) [Research by NTT into the toolkit utilized by GRIM SPIDER](https://hello.global.ntt/-/media/ntt/global/insights/white-papers/grim-spider-white-paper.pdf) **Figure 2:** **Screenshot from the NTT Analysis of GRIM SPIDER Infrastructure** In this blog post, we will examine Bablosoft in further detail, providing our hypotheses on the threat actor use cases for the tools on offer, and highlighting links to other threat activity. ## Bablosoft Insight from Open Source References to Bablosoft first appeared within public forums during late 2016, when the ‘main’ developer – who goes by the moniker Twaego – posted about the release of a tool entitled **_BrowserAutomationStudio (BAS)._** ----- **Figure 3:** **Twaego’s First Post About Bablosoft and BrowserAutomationStudio** As can be discerned from the advert, the purpose of BAS is to provide users with an easy-touse framework for the creation of bots, including “spammers” and a “credentials checker”. Reviewing this and other public threads on BAS / Bablosoft, it is clear the tool was well received by the community, for several reasons: The tool is free – although a premium version with additional features is available The developer (Twaego) actively works on community feedback/requests to improve the tool Users can share applications/scripts through the Bablosoft community page ----- **Figure 4:** **An Example of the Bablosoft Script Repositories** The postings also provided further insight into some of the tool’s capabilities; browser emulation, mimicking of human behavior (keyboard and mouse), proxy support, a mailbox search feature, and the ability to load data from file/URL/string. Features which have caught the eye of several distinct threat actor operations. In underground forums we have identified users ‘offering their services’ for the creation of bespoke scripts for BAS, for example to interact with the Telegram API, or the development of “bruters” and “recruiters”. ----- **Figure 5:** **Posting by ‘BasCoder’ on the XSS Forum** In the post above, the user BasCoder provides an overview of a business-like service, inclusive of a ‘free consultation’, with projects priced from $20 depending on scale. We identified a ‘thank you’ post from another user who appeared to have used BasCoder’s services for a BAS-related project. **Figure 6:** **‘Customer’ Feedback Post on the XSS Forum** The customer in this case, a user called n1ppyyy, is a now-banned but formerly active member of the XSS forum who engaged in numerous topics indicative of an interest or involvement in malicious activity. ## Insight from Threat Telemetry In the cases of the Bumblebee, BlackGuard and RedLine C2s, we observed connections to **_downloads.bablosoft[.]com (resolving to 46.101.13.144). Threat telemetry for this IP_** address provides an insight into the general user base for Bablosoft, with the majority of ----- activity coming from locations in Russia and Ukraine (based on WHOIS information). **Figure 7:** **Most Frequently Observed Country Codes** As for Twaego (the ‘owner’ of Bablosoft), their profile summary indicates they are from Kiev, Ukraine. ----- **Figure 8:** **Twaego User Profile Summary** We were able to corroborate this information based on management activity to several elements of the Bablosoft infrastructure, sourced from a single Ukrainian-assigned IP address. In addition, the IP was also involved with management connections to a number of hosts on TCP/27017 – commonly associated with MongoDB. **Figure 9:** **Overview of Bablosoft Backend Infrastructure** ## Malicious Use Cases ----- As previously highlighted, we observed the Bumblebee, BlackGuard and RedLine C2 IPs connecting to the ‘downloads’ subdomain of bablosoft[.]com, with the assumption that the operators were downloading tools for use in threat activities. For the BlackGuard and RedLine C2s there are several use cases for BAS which may be applicable. For example, we identified a ‘gmail accounts checker’ which the threat actors might utilize for assessing the validity of stolen credentials. **Figure 10:** **BAS Gmail Checker Tool** Whilst examining threat telemetry for other elements of the Bablosoft infrastructure, we identified several hosts associated with cryptojacking malware making connections to **_fingerprints.bablosoft[.]com. The Fingerprint element of the BAS service allows users to_** alter their browser fingerprint, a function likely used by these particular actors as a means of anonymizing or normalizing their activity. ----- **Figure 11:** **Attribution of Cryptojacking Infrastructure** ## Conclusion Based on the number of actors already utilizing tools offered on the Bablosoft website, we can only expect to see BAS becoming a more common element of the threat actor’s toolkit. As referenced by F5 Labs in their report on credential stuffing – “One of the reasons we _expect to see more of BAS is because of the Bablosoft community and how easy the_ _software makes it to redistribute and sell work.”._ ----- An unofficial Telegram group, entitled Bablosoft – BAS chat (BABLOSOFT – ЧАТ ПО БАСУ), retains a membership of over 1,000 users, further highlighting the level of community activity around the tool. This group appears to be used predominantly by Russian speakers, to share updates on new features, scripts and tips. **Figure 12:** **Unofficial Bablosoft Telegram Group** **IOCs** Bumblebee C2: **45.147.229.177** BlackGuard Panel C2: **185.173.157.26** RedLine Controller C2: **91.243.59.61** -----