FBot Hack Tool
An emerging hacking tool named FBot, developed using Python, has been discovered with a focus on infiltrating web servers, cloud services, Content Management Systems (CMS), and Software as a Service (SaaS) platforms like Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio. Noteworthy functionalities encompass credential harvesting for spamming attacks, tools facilitating hijacking AWS accounts, and capabilities to execute attacks on PayPal and various SaaS accounts.
Table of Contents
Similarities Found Between the FBot Hacking Tool and Other Malware Families
FBot has joined the ranks of cloud hacking tools like AlienFox, GreenBot (also known as Maintance), Legion and Predator. Notably, the latter four tools share code-level similarities with AndroxGh0st.
Researchers distinguish FBot as a tool related to, but distinct from, these tool families. Unlike its counterparts, FBot does not reference any source code from AndroxGh0st. However, it does exhibit similarities with Legion, which surfaced in the previous year.
The ultimate objective of FBot is to commandeer the cloud, Software as a Service (SaaS), and Web services. It achieves this by harvesting credentials to gain initial access and subsequently monetizes this access by selling it to other threat actors.
FBot Can Perform Various Unsafe Activities
FBot not only generates API keys for AWS and Sendgrid but also incorporates a variety of functionalities, including the creation of random IP addresses, running reverse IP scanners, and validating PayPal accounts along with their associated email addresses.
The script initializes the PayPal API request through the website hxxps://www.robertkalinkin.com/index.php, which belongs to a Lithuanian fashion designer's retail sales site. Intriguingly, all identified FBot samples employ this website for authenticating PayPal API requests, a behavior shared by several Legion Stealer samples.
Moreover, FBot includes AWS-specific features to inspect AWS Simple Email Service (SES) email configuration details and ascertain the EC2 service quotas of the targeted account. The Twilio-related functionality is similarly employed to gather details about the account, such as the balance, currency, and linked phone numbers. The capabilities extend further, as the malware is proficient in extracting credentials from Laravel environment files.
FBot May Be a Custom-Made Malware Tool
Incidents of attack operations employing the FBot Hacking Tool have been noted, spanning from July 2022 to the beginning of 2024, indicating ongoing active usage in the wild. Nevertheless, the current status regarding the tool's maintenance and distribution methods to other actors remains unknown.
There are signs suggesting that FBot may result from private development efforts, implying that recent builds could be disseminated through a more localized operation. This aligns with the prevailing trend of cloud attack tools functioning as bespoke 'private bots' tailored for individual buyers, mirroring the approach observed in AlienFox builds.
