In the realm of cybersecurity threats, a new Python-based hacking tool named FBot has emerged, targeting a wide range of digital domains, including web servers, cloud services, content management systems (CMS), and notable SaaS platforms like AWS, Microsoft 365, PayPal, Sendgrid, and Twilio. The tool, recently uncovered by SentinelOne security researcher Alex Delamotte, boasts features such as credential harvesting for spamming attacks, tools for hijacking AWS accounts, and capabilities to launch attacks on PayPal and various SaaS accounts. Unlike its counterparts AlienFox, GreenBot, Legion, and Predator, FBot stands out by not sharing source code from AndroxGh0st, although it does exhibit similarities with Legion. Its primary objective is to compromise cloud, SaaS, and web services, obtaining initial access and monetizing it by selling the acquired access to other malicious actors.
FBot’s functionality extends beyond the conventional hacking toolkit, offering the generation of API keys for AWS and Sendgrid, random IP address generation, reverse IP scanning, and validation of PayPal accounts and associated email addresses. Notably, it employs a unique method of initiating PayPal API requests through a Lithuanian fashion designer’s retail sales website. The malware also possesses AWS-specific features to inspect AWS Simple Email Service (SES) email configurations and ascertain the targeted account’s EC2 service quotas. The Twilio-related functionality aids in gathering specifics about the account, including balance, currency, and linked phone numbers. FBot’s capabilities further include extracting credentials from Laravel environment files, showcasing its sophistication and multifaceted approach to cyber intrusion.
SentinelOne’s investigation reveals that FBot samples have been active in the wild since July 2022, with evidence suggesting ongoing usage as recently as the current month. While the tool’s distribution method and maintenance status remain unknown, Delamotte suggests that FBot may be a product of private development work, possibly distributed through smaller-scale operations. This aligns with a broader trend in the cybersecurity landscape, where bespoke “private bots” are tailored for individual buyers, resembling the modus operandi observed in AlienFox builds. The emergence of FBot underscores the evolving nature of cyber threats and the continuous efforts required to stay ahead in the cybersecurity landscape.
