Python-Based Tool FBot Disrupts Cloud Security

Written by

Security researchers have shed light on a new Python-based hacking tool, FBot, showcasing distinct features from other cloud malware families. 

Discovered by the SentinelLabs team, FBot targets web servers, cloud services and Software-as-a-Service (SaaS) platforms like AWS, Office365, PayPal, Sendgrid and Twilio.

FBot’s key features include credential harvesting for spamming attacks, tools for hijacking AWS accounts and functionalities enabling attacks against PayPal and various SaaS accounts. 

Writing in an advisory published last Thursday, SentinelLabs security researcher Alex Delamotte explained that FBot demonstrated a smaller footprint than similar tools, suggesting possible private development and a more targeted distribution approach.

Delamotte also explained the malware does not utilize the widely used Androxgh0st code. Instead, it shares functionality and design similarities with the Legion cloud infostealer.

Read more on Legion and similar tools: Predator AI ChatGPT Integration Poses Risk to Cloud Services

The tool’s functionalities span AWS targeting, including an AWS API Key Generator and Mass AWS Checker, as well as targeting payment services such as PayPal, with a unique PayPal Validator feature.

Furthermore, FBot possesses capabilities to target SaaS platforms like Sendgrid and Twilio, showcasing features like Sendgrid API Key Generator and Twilio SID and Auth Token checker. The tool also includes functionalities for web framework reconnaissance, scanning for Laravel environments and extracting credentials from various files.

Despite its unique characteristics, Delamotte clarified that FBot fits into an existing trend in the cybersecurity landscape.

“FBot demonstrates another tool family that continues the trend of adopting cloud attack tool code from one tool into another while maintaining its own distinct flavor,” Delamotte wrote.

The SentinelLabs technical write-up also highlighted that FBot samples have been observed from July 2022 to January 2024, indicating continued proliferation, though the level of active maintenance remains uncertain.

Currently, no identified distribution channel is dedicated to FBot, differentiating it from other cloud infostealers typically sold on platforms like Telegram. 

Indications suggest that FBot may be a product of private development work, aligning with the growing trend of bespoke ‘private bots’ tailored for individual buyers in the realm of cloud attack tools.

“Organizations should enable multi-factor authentication (MFA) for AWS services with programmatic access,” Delamotte warned. 

“Create alerts that notify security operations teams when a new AWS user account is added to the organization, as well as alerts for new identities added or major configuration changes to SaaS bulk mailing applications where possible.”

What’s hot on Infosecurity Magazine?