SentinelLabs: Exploring FBot – Python-Based Malware Targeting Cloud and Payment Services
January 2024 by SentinelLabs
SentinelLabs has identified a tool that is related to but distinct from these families. FBot is a Python-based attack tool with features to target web servers and cloud services as well as Software-as-a-Service (SaaS) technologies, including Amazon Web Services (AWS), Office365, PayPal, Sendgrid, and Twilio.
FBot is primarily designed for actors to hijack cloud, SaaS, and web services. There is a secondary focus on obtaining accounts to conduct spamming attacks. Actors can use the credential harvesting features to obtain initial access, which they can sell to other parties.
Key points
FBot is a Python-based hacking tool distinct from other cloud malware families, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio.
FBot does not utilise the widely-used Androxgh0st code but shares similarities with the Legion cloud infostealer in functionality and design.
Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts.
FBot is characterised by a smaller footprint compared to similar tools, indicating possible private development and a more targeted distribution approach.
Conclusion
FBot demonstrates another tool family that continues the trend of adopting cloud attack tool code from one tool into another while maintaining its own distinct flavour. SentinelLabs has seen samples spanning July 2022 to January 2024, showing there is continued proliferation of this tool. However, there are relatively few changes across versions, and it is unclear whether this is actively maintained.
As of this writing, SentinelLabs is unable to identify a distribution channel dedicated to FBot, which differentiates the tool from other cloud infostealers often sold on Telegram. The bot has references to buffer_0x0verfl0w, a Telegram channel associated with various crimeware that has since been retired. However, indications are that FBot is the product of private development work, so contemporary builds may be distributed through a smaller-scale operation. This aligns with the theme of cloud attack tools being bespoke ‘private bots’ tailored for the individual buyer, which is a theme prevalent among AlienFox builds.
Organisations should enable multi-factor authentication (MFA) for AWS services with programmatic access. Create alerts that notify security operations teams when a new AWS user account is added to the organisation, as well as alerts for new identities added or major configuration changes to SaaS bulk mailing applications where possible.