Threat actors are increasingly using a free-to-use browser automation framework as part of their attack efforts, according to cybersecurity experts.
“The framework has various elements that we estimate might be used to facilitate malicious activity,” Team Cymru researchers said in a new analysis released on Wednesday.
“The framework’s technical entry barrier has been purposely maintained low, resulting in an active community of content creators and contributors, with participants in the underground economy advertising their time for the construction of custom tools.”
CyberSecurity
According to the cybersecurity firm, command-and-control (C2) IP addresses connected with malware including Bumblebee, BlackGuard, and RedLine Stealer were making connections to Bablosoft’s downloads subdomain (“downloads.bablosoft[.]com”), which is the manufacturer of the Browser Automation Studio (BAS).
The framework’s potential to automate operations in Google’s Chrome browser in a way comparable to legal developer tools like Puppeteer and Selenium was previously disclosed by cloud security and application delivery provider F5 in February 2021.
Threat telemetry for the subdomain’s IP address — 46.101.13[.]144 — reveals that the great bulk of activity is coming from Russia and Ukraine, with open source information suggesting that Bablosoft’s owner is headquartered in Kyiv, Ukraine’s capital.
CyberSecurity
The operators of the malware campaigns are thought to have linked to the Bablosoft subdomain in order to acquire additional tools for use in post-exploitation operations.
Several sites linked to cryptojacking malware like XMRig and Tofsee were also discovered interacting with a second subdomain called “fingerprints.bablosoft[.]com” to utilize a service that helps the mining malware hide its activity.
“We can only expect to see BAS become a more prevalent aspect of the threat actor’s toolbox based on the amount of actors already using tools given on the Bablosoft website,” the researchers stated.