Cybercrime

Researchers Flag FBot Hacking Tool Hijacking Cloud, Payment Services

The tool, called FBot, is capable of credential harvesting for spamming attacks, and AWS, PayPal and SaaS account hijacking.

Published

The tool, called FBot, is capable of credential harvesting for spamming attacks, and AWS, PayPal and SaaS account hijacking.

Malware hunters at SentinelOne on Thursday flagged a newly discovered Python-based hacking tool being used by cybercriminals to hijack cloud platforms and payment services.

The tool, called FBot, is capable of credential harvesting for spamming attacks, AWS account hijacking and functions to enable attacks against PayPal and various SaaS accounts.

According to documentation from the company’s SentinelLabs research unit, Fbot is characterized by a smaller footprint compared to similar tools, indicating possible private development and a more targeted distribution approach.

SentinelLabs researcher Alex Delamotte dissected the internals of the attack tool and found features to target web servers and cloud services as well as Software-as-a-Service (SaaS) technologies that include Aws, Office365, PayPal, Sendgrid and Twilio.

While the tool is primarily designed for actors to hijack cloud, SaaS, and web services, Delamotte discovered a secondary focus on obtaining accounts to conduct spamming attacks. 

“The tool contains assorted utilities, including an IP address generator and port scanner. There is also an email validator function, which uses an Indonesian technology service provider to validate email addresses,” the SentinelLabs researcher said.

The anti-malware company also discovered several features that target payment services, including a PayPal Validator feature, a SendGrid API key generator, and features for harvesting key secrets. 

Delamotte recommends that organizations enable multi-factor authentication (MFA) for AWS services with programmatic access and set up systems to alert security operations teams when a new AWS user account is added to the organization.

Advertisement. Scroll to continue reading.

The researcher also suggests setting up alerts for new identities added or major configuration changes to SaaS bulk mailing applications.

Related: New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware

Related: US Gov Warning: Start Hunting for Iranian APTs That Exploited Log4j

Related: Researchers Crowdsourcing Effort to ID Mysterious Metador APT

Related: Urgent Fixes for Critical Flaws in Windows Kerberos, Hyper-V

In this article:, , ,

Related Content

How AWS disrupts DDoS attacks and is tackling IP Spoofing at the source

Cloud Security

Inside AWS’s Crusade Against IP Spoofing and DDoS Attacks

SecurityWeek speaks to Tom Scholl, VP and distinguished engineer at AWS, on how the organization tackles IP Spoofing and DDoS attacks.

April 11, 2024

Cloud Security

Amazon One Enterprise Enables Palm-Based Access to Physical Locations, Digital Assets

AWS announces Amazon One Enterprise, a palm-based identity service that enables users to easily access physical locations and digital assets.

November 28, 2023

Cloud Security

AWS Using MadPot Decoy System to Disrupt APTs, Botnets

AWS says an internal threat intel decoy system called MadPot has successfully trapped nation state-backed APTs like Volt Typhoon and Sandworm.

September 29, 2023

Application Security

PayPal Warns Users of Credential Stuffing Attacks

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

January 20, 2023

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version