Researchers have warned against the increased use of free-to-use browser automation frameworks by attackers.
Browser automation framework
According to a report, the framework called Browser Automation Studio (BAS) includes various features that can be used in malicious activities. The framework is a Windows-only automation environment.
- The technical entry bar for the framework is very low. It is suspected to be done intentionally, to attract more contributors and content developers.
- At the same time, the threat actors in the underground economy promote their time for the creation of bespoke tooling.
Attack payloads
- Researchers observed C2 IP addresses linked with malware such as BlackGuard, Bumblebee, and RedLine Stealer communicating with the subdomain of Bablosoft.
- Further, several hosts were linked with XMRig and Tofsee miners, which communicated with a second subdomain fingerprints[.]bablosoft[.]com, to use a service that helps the miner hide its behavior.
About BAS
The BAS Framework is developed by Bablosoft, a firm offering various other automation and utility tools.
- The framework was spotted in February 2021 and included the ability to automate tasks in Google's Chrome browser.
- It is believed that the operators of the malware campaigns are linked to the Bablosoft subdomain (downloads[.]bablosoft[.]com) to download additional tools for use as part of their post-exploitation activities.
Conclusion
Based on the number of attackers already using tools offered on the Bablosoft website, experts expect BAS to become a more common component in the threat actor's toolkit in the coming time. Thus, organizations should implement unique passwords and stop users from using compromised credentials.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_169002578.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/8348_shutterstock_447402175.jpg)
