Researchers identify FBot hacking tool hijacking cloud and payment services.

Researchers identify FBot hacking tool hijacking cloud and payment services.

SentinelOne’s malware hunters flagged a recently uncovered Python-based hacking tool employed by cybercriminals to hijack cloud platforms and payment services.

FBot hacking tool hijacking cloud and payment services

The tool, named FBot, possesses the capability for credential harvesting in spamming attacks, AWS account hijacking, and facilitates assaults against PayPal and various SaaS accounts.

As per documentation from the company’s SentinelLabs research unit, FBot is distinguished by a smaller footprint compared to similar tools, suggesting potential private development and a more targeted distribution approach.

SentinelLabs researcher Alex Delamotte analyzed the internals of the attack tool and identified functionalities geared towards targeting web servers, cloud services, and Software-as-a-Service (SaaS) technologies, including Aws, Office365, PayPal, Sendgrid, and Twilio.

While its primary purpose is to enable actors to hijack cloud, SaaS, and web services, Delamotte uncovered a secondary focus on acquiring accounts for the purpose of conducting spamming attacks.

“The tool incorporates various utilities, including an IP address generator and port scanner. Additionally, it features an email validator function that utilizes an Indonesian technology service provider for validating email addresses,” mentioned the SentinelLabs researcher.

The anti-malware company identified various features aimed at targeting payment services, such as a PayPal Validator feature, a SendGrid API key generator, and functionalities for harvesting key secrets.

Delamotte suggests that organizations implement multi-factor authentication (MFA) for AWS services with programmatic access and establish systems to notify security operations teams when a new AWS user account is added to the organization.

The researcher recommends configuring alerts for the addition of new identities or significant configuration changes to SaaS bulk mailing applications.

Indicators of Compromise

SHA1Notes, January 2024 version of FBot
2becd32162b2b0cb1afc541e33ace3a29dad96f1April 2023 version of FBot, July 2022 version of FBot
iDevXploitHardcoded AWS IAM Username
MCDonald2021D#1337Hardcoded AWS IAM User password

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!