Researchers have warned against the increased use of free-to-use browser automation frameworks by attackers.
Browser automation framework
According to a report, the framework called Browser Automation Studio (BAS) includes various features that can be used in malicious activities. The framework is a Windows-only automation environment.
The technical entry bar for the framework is very low. It is suspected to be done intentionally, to attract more contributors and content developers.
At the same time, the threat actors in the underground economy promote their time for the creation of bespoke tooling.
Attack payloads
Researchers observed C2 IP addresses linked with malware such as BlackGuard, Bumblebee, and RedLine Stealer communicating with the subdomain of Bablosoft.
Further, several hosts were linked with XMRig and Tofsee miners, which communicated with a second subdomain fingerprints[.]bablosoft[.]com, to use a service that helps the miner hide its behavior.
About BAS
The BAS Framework is developed by Bablosoft, a firm offering various other automation and utility tools.
The framework was spotted in February 2021 and included the ability to automate tasks in Google's Chrome browser.
It is believed that the operators of the malware campaigns are linked to the Bablosoft subdomain (downloads[.]bablosoft[.]com) to download additional tools for use as part of their post-exploitation activities.
Conclusion
Based on the number of attackers already using tools offered on the Bablosoft website, experts expect BAS to become a more common component in the threat actor's toolkit in the coming time. Thus, organizations should implement unique passwords and stop users from using compromised credentials.