Security researchers have shed light on a new Python-based hacking tool, FBot, showcasing distinct features from other cloud malware families.
Discovered by the SentinelLabs team, FBot targets web servers, cloud services and Software-as-a-Service platforms like AWS, Office365, PayPal, Sendgrid and Twilio.
FBot's key features include credential harvesting for spamming attacks, tools for hijacking AWS accounts and functionalities enabling attacks against PayPal and various SaaS accounts.
Writing in an advisory published last Thursday, SentinelLabs security researcher Alex Delamotte explained that FBot demonstrated a smaller footprint than similar tools, suggesting possible private development and a more targeted distribution approach.
Delamotte also explained the malware does not utilize the widely used Androxgh0st code.
Instead, it shares functionality and design similarities with the Legion cloud infostealer.
The tool's functionalities span AWS targeting, including an AWS API Key Generator and Mass AWS Checker, as well as targeting payment services such as PayPal, with a unique PayPal Validator feature.
FBot possesses capabilities to target SaaS platforms like Sendgrid and Twilio, showcasing features like Sendgrid API Key Generator and Twilio SID and Auth Token checker.
The tool also includes functionalities for web framework reconnaissance, scanning for Laravel environments and extracting credentials from various files.
Despite its unique characteristics, Delamotte clarified that FBot fits into an existing trend in the cybersecurity landscape.
The SentinelLabs technical write-up also highlighted that FBot samples have been observed from July 2022 to January 2024, indicating continued proliferation, though the level of active maintenance remains uncertain.
Currently, no identified distribution channel is dedicated to FBot, differentiating it from other cloud infostealers typically sold on platforms like Telegram.
Indications suggest that FBot may be a product of private development work, aligning with the growing trend of bespoke 'private bots' tailored for individual buyers in the realm of cloud attack tools.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Mon, 15 Jan 2024 16:30:21 +0000