The rising threat of Browser Automation Framework: All you need to know!

Recent reports by security analysts and researchers point to an increased use of free-to-use browser automation frameworks by attackers. According to a research note by Team Cymru, the framework called Browser Automation Studio (BAS) includes various features that can be exploited in malicious activities and is previously known to have been used for carrying out malware and credential stuffing attacks.

What is Browser Automation Studio?

The BAS Framework is developed by Bablosoft, a firm offering various automation and utility tools. The BAS is a Windows-only automation environment that allows users to create applications with a browser, HTTP client, email client and other libraries. The tool’s capabilities include browser emulation, mimicking human behaviour – keyboard and mouse, proxy support, a mailbox search feature, and the ability to load data from file/URL/string, some of which have attracted several distinct threat actor operations.

Growing adoption of BAS by threat actors

The rising adoption of the malicious BAS framework is creating a thriving community of bad actors who are deploying the tool to carry out malicious activities. Several factors can be attributed to the growing popularity and widespread adoption of the tool.

1. The technical entry bar for the framework is purposefully kept low, which has served to create an active community of content developers and contributors.
   
   
2. Threat actors in the underground economy are advertising their time for the creation of bespoke tooling. The services created include bespoke scripts for BAS, for example to interact with the Telegram API (the app reportedly has an unofficial Bablosoft chat group with 1,000+ users), or the development of platforms for performing credential stuffing attacks.
   
   
3. The tool is available for free of cost and provides users with an easy-to-use framework for the creation of bots including ‘spammers’ and ‘credential checkers’. Besides, the ease with which threat actors can redistribute and sell work using the tool, makes it a popular component in their toolkits.

Key Use Cases

Researchers have observed command-and-control (C2) IP addresses linked with malware strains such as RedLine Stealer, BlackGuard and Bumblebee communicating with the subdomain of Bablosoft, indicating the possibility of subdomain connections being used by various malware operators for post-exploitation activities. The threat telemetry of Bablosoft along with the analysis of C2s has revealed several use cases for BAS, prominent among them highlighted below:

1. Several hosts associated with cryptojacking malware like XMRig and Tofsee communicating with BAS’s second subdomain are identified. This element of the BAS service reportedly allows users to alter their browser fingerprint, a function likely used by malware actors as a means of anonymizing or normalizing their activity.
   
   
2. Secondly, the researchers have identified a “gmail accounts checker” which threat actors are believed to be using to assess the validity of stolen credentials.
   
   
3. There have been previous instances of BAS framework being exploited to automate tasks in Google’s Chrome browser in a manner similar to legitimate developer tools like Puppeteer and Selenium. Additionally, it has been identified by security researchers for its use in credential stuffing attacks and its inclusion into the toolkit used by GRIM SPIDER – the operator of the Ryuk ransomware.

How to safeguard against BAS exploits?

Based on the number of actors already utilizing tools offered on the Bablosoft website, BAS is expected to become a common feature in a threat actor’s toolkit. Organizations should implement unique passwords and prevent users from using compromised credentials. The following best practices can help businesses guard against this emerging threat:

• Avoid downloading pirated software from warez/torrent websites.
• Enforce multi-factor authentication and use strong passwords.
• Educate employees on how to protect themselves against threats such as phishing and suspicious URLs.