SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
SentinelLabs exposes FBot malware targeting cloud, payment services
Mon, 15th Jan 2024

SentinelLabs has revealed new research into FBot, a Python-based malware aiming at cloud and payment services. This unique tool equips threat actors with a multi-function hack entity with the capability to hijack web services like Amazon Web Services (AWS), Office365, PayPal, Sendgrid, and Twilio. This further establishes FBot's distinction from similar malware tools like AlienFox, Predator, Greenbot, and Legion, as it does not incorporate the Androxgh0st code.

In the hacking field, a significant overlap is commonly found between tools as they tend to depend on each other's code. This scenario often emerges within malware families such as AlienFox, Greenbot, Legion, and Predator, which base off code from a credential-scraping module called Androxgh0st. However, SentinelLabs has spotted a tool, FBot, which bears relations to, but is distinct from these families.

FBot, being a Python-based attack tool, possesses features specifically designed to target web servers, cloud services, and Software-as-a-Service (SaaS) technologies. These technologies include services like AWS, Office365, PayPal, Sendgrid, and Twilio. FBot's main design targets threat actors to obstruct cloud, SaaS, and web services. It exhibits a secondary focus on securing accounts to facilitate spamming attacks.

Threat actors can capitalise on the credential harvesting features of FBot to gain initial access and exploit these to perform transactions with other parties. FBot, remaining distinct from other cloud malware families, uses a Python-based hacking mould to target web servers, cloud services, and SaaS platforms. Not utilising the widely-used Androgh0st code, it maintains some similarities with the Legion cloud infostealer in terms of functionality and design.

Critical features of FBot include the ability to harvest credentials for spamming attacks, tools to hijack AWS accounts, capabilities to commit attacks on PayPal and various SaaS accounts. Furthermore, FBot is marked by a comparatively smaller footprint, indicating potential private development and directed distribution approaches.

FBot exhibits a new tool family, continuing the trend of adopting cloud attack tool code from existing tools, however, maintaining its unique identity. SentinelLabs has come across samples from July 2022 to January 2024, indicating their ongoing distribution. However, noticeable changes across versions remain few, making it unclear if the tool is actively maintained.

SentinelLabs does not have evidence identifying a dedicated distribution channel for FBot, distinguishing it from other cloud infostealers often traded on Telegram. FBot maintains references to buffer_0x0verfl0w, a Telegram channel linked with assorted crimeware, which is now retired. However, the indicators point towards FBot being the result of private development efforts, suggesting that present builds might be distributed through smaller operations.

Organisations are urged to facilitate multi-factor authentication (MFA) for AWS services that allows programmatic access. It is recommended that alerts be established to notify security operations teams when a new AWS user account is created within the organisation. Moreover, firms should also set up alerts for the addition of new identities or major configuration transformations to SaaS bulk mailing applications, if possible.