Security News > 2022 > May > Hackers Increasingly Using Browser Automation Frameworks for Malicious Activities

Cybersecurity researchers are calling attention to a free-to-use browser automation framework that's being increasingly used by threat actors as part of their attack campaigns.

The U.S. cybersecurity company said it observed command-and-control IP addresses associated with malware such as Bumblebee, BlackGuard, and RedLine Stealer establishing connections to the downloads subdomain of Bablosoft, the maker of the Browser Automation Studio.

Bablosoft was previously documented by cloud security and application delivery firm F5 in February 2021, pointing to the framework's ability to automate tasks in Google's Chrome browser in a manner similar to legitimate developer tools like Puppeteer and Selenium.

Threat telemetry for the subdomain's IP address - 46.101.13[.]144 - shows that a vast majority of activity is originating from locations in Russia and Ukraine, with open source intelligence indicating that Bablosoft's owner is allegedly based in the Ukrainian capital city of Kyiv.

It's being suspected that the operators of the malware campaigns connected to the Bablosoft subdomain for purposes of downloading additional tools for use as part of post-exploitation activities.

"Based on the number of actors already utilizing tools offered on the Bablosoft website, we can only expect to see BAS becoming a more common element of the threat actor's toolkit," the researchers said.

News URL

https://thehackernews.com/2022/05/hackers-increasingly-using-browser.html