Jump to content
  • Hackers Increasingly Using Browser Automation Frameworks for Malicious Activities

    aum

    • 364 views
    • 2 minutes
     Share


    • 364 views
    • 2 minutes

    Cybersecurity researchers are calling attention to a free-to-use browser automation framework that's being increasingly used by threat actors as part of their attack campaigns.

     

    "The framework contains numerous features which we assess may be utilized in the enablement of malicious activities," researchers from Team Cymru said in a new report published Wednesday.

     

    "The technical entry bar for the framework is purposefully kept low, which has served to create an active community of content developers and contributors, with actors in the underground economy advertising their time for the creation of bespoke tooling."

     

    The U.S. cybersecurity company said it observed command-and-control (C2) IP addresses associated with malware such as Bumblebee, BlackGuard, and RedLine Stealer establishing connections to the downloads subdomain of Bablosoft ("downloads.bablosoft[.]com"), the maker of the Browser Automation Studio (BAS).

     

    Bablosoft was previously documented by cloud security and application delivery firm F5 in February 2021, pointing to the framework's ability to automate tasks in Google's Chrome browser in a manner similar to legitimate developer tools like Puppeteer and Selenium.

     

    code.jpg

     

    Threat telemetry for the subdomain's IP address — 46.101.13[.]144 — shows that a vast majority of activity is originating from locations in Russia and Ukraine, with open source intelligence indicating that Bablosoft's owner is allegedly based in the Ukrainian capital city of Kyiv.

     

    It's being suspected that the operators of the malware campaigns connected to the Bablosoft subdomain for purposes of downloading additional tools for use as part of post-exploitation activities.

     

    Also identified are several hosts associated with cryptojacking malware like XMRig and Tofsee communicating with a second subdomain named "fingerprints.bablosoft[.]com" to use a service that helps the mining malware conceal its behavior.

     

    "Based on the number of actors already utilizing tools offered on the Bablosoft website, we can only expect to see BAS becoming a more common element of the threat actor's toolkit," the researchers said.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...