SentinelOne’s malware hunters flagged a recently uncovered Python-based hacking tool employed by cybercriminals to hijack cloud platforms and payment services.
FBot hacking tool hijacking cloud and payment services
The tool, named FBot, possesses the capability for credential harvesting in spamming attacks, AWS account hijacking, and facilitates assaults against PayPal and various SaaS accounts.
As per documentation from the company’s SentinelLabs research unit, FBot is distinguished by a smaller footprint compared to similar tools, suggesting potential private development and a more targeted distribution approach.
SentinelLabs researcher Alex Delamotte analyzed the internals of the attack tool and identified functionalities geared towards targeting web servers, cloud services, and Software-as-a-Service (SaaS) technologies, including Aws, Office365, PayPal, Sendgrid, and Twilio.
While its primary purpose is to enable actors to hijack cloud, SaaS, and web services, Delamotte uncovered a secondary focus on acquiring accounts for the purpose of conducting spamming attacks.
“The tool incorporates various utilities, including an IP address generator and port scanner. Additionally, it features an email validator function that utilizes an Indonesian technology service provider for validating email addresses,” mentioned the SentinelLabs researcher.
The anti-malware company identified various features aimed at targeting payment services, such as a PayPal Validator feature, a SendGrid API key generator, and functionalities for harvesting key secrets.
Delamotte suggests that organizations implement multi-factor authentication (MFA) for AWS services with programmatic access and establish systems to notify security operations teams when a new AWS user account is added to the organization.
The researcher recommends configuring alerts for the addition of new identities or significant configuration changes to SaaS bulk mailing applications.
Indicators of Compromise
|Bot.py, January 2024 version of FBot
|April 2023 version of FBot
|Bot.py, July 2022 version of FBot
|Hardcoded AWS IAM Username
|Hardcoded AWS IAM User password