Researchers in cybersecurity are drawing attention to a free browser automation framework that is increasingly being utilized by threat actors as part of their assault efforts.
“The framework has various characteristics that we estimate may be used to facilitate malicious activity,” Team Cymru researchers said in a new analysis published Wednesday.
“The technical entry hurdle for the framework has been purposely maintained low, resulting in an active community of content producers and contributors, with participants in the underground economy advertising their time for the construction of bespoke tools.”
According to the cybersecurity firm, command-and-control (C2) IP addresses connected with malware including Bumblebee, BlackGuard, and RedLine Stealer were making connections to Bablosoft’s downloads subdomain (“downloads.bablosoft[.]com”), which is the manufacturer of the Browser Automation Studio (BAS).
The framework’s potential to automate operations in Google’s Chrome browser in a way comparable to legal developer tools like Puppeteer and Selenium was previously disclosed by cloud security and application delivery provider F5 in February 2021.
Threat telemetry for the subdomain’s IP address — 46.101.13[.]144 — reveals that the great bulk of activity is coming from Russia and Ukraine, with open source information indicating that Bablosoft’s owner is headquartered in Kyiv, Ukraine’s capital.
The operators of the malware campaigns are thought to have linked to the Bablosoft subdomain in order to acquire additional tools for use in post-exploitation operations.
Several sites linked to cryptojacking malware like XMRig and Tofsee were also discovered interacting with a second subdomain named “fingerprints.bablosoft[.]com” to use a service that helps the mining malware hide its activity.
“We can only expect to see BAS become a more prevalent aspect of the threat actor’s toolbox based on the amount of actors already using tools given on the Bablosoft website,” the researchers stated.