Researchers have published a report regarding the increased utilisation of the Browser Automation Studio or BAS framework developed by Bablosoft, which threat actors actively use for its free-to-use browser functionality.
The framework contains several functions that threat actors can utilise for illegal activities. It is a Windows-only automation environment used for different capabilities in browser-related activities.
The researchers suspected that the technical entry bar for the tool is intentionally set to lower by the threat actors to attract more content developers and contributors. This feature will enable the adversaries to promote their advanced tools in the underground community and economy.
Several command-and-control IP addresses have also been monitored connected to different malware, such as Bumblebee, RedLine Stealer, and BlackGuard, in communicating with the subdomain of Bablosoft.
In addition, multiple hosts were affiliated with Tofsee and XMRig miners, which communicated with a second subdomain coded as fingerprints[.]bablosoft[.]com. Moreover, the threat actors also utilise a service that aids the miner in obfuscating its behaviour.
The BAS framework offers several other utility capabilities and automation tools.
Researchers first discovered the framework in February of last year and included the feature that automates tasks in Google Chrome browsers.
Many researchers also claimed that the operators of the malware campaigns are connected to the Bablosoft subdomain to retrieve additional features for use as part of their exploitation activities after a successful breach. The easy accessibility of the tool will likely be an essential factor for many threat groups that will potentially use the framework.
Experts assumed that the BAS framework would become a more common feature for the hackers’ toolkit based on the sheer number of malicious threat actors already utilising the tools endorsed by the Bablosoft website.
The new framework is a threat that can challenge many cybersecurity experts. Organisations are advised to employ unique passwords and instruct users from utilising infected credentials.
