New Python-based FBot Hacking Toolkit targeting cloud and SaaS platforms

FBot Hacking Toolkit

A new Python-based hacking tool called FBot It has been discovered to target web servers, cloud services, content management systems (CMS), and SaaS platforms such as Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio.

“Key features include credential collection for spam attacks, tools for hijacking AWS accounts, and features to enable attacks on PayPal and various SaaS accounts,” said SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.

FBot is the latest addition to the list of cloud hacking tools like AlienFox, GreenBot (aka Maintance), Legion, and Predator, the latter four of which share code-level overlap with AndroxGh0st.

SentinelOne described FBot as “related but distinct from these families”, due to the fact that it does not reference AndroxGh0st source code, although it bears similarities to Legion, which first came to light last year.

The tool’s ultimate goal is to hijack cloud, SaaS, and web services and collect credentials to gain initial access and monetize it by selling access to other actors.

FBot not only offers API keys for AWS and Sendgrid, but also an assortment of features to generate random IP addresses, run reverse IP scanners, and even scan PayPal accounts and the email addresses associated with those accounts. validate.

“The script initiates the Paypal API request via the website hxxps://, the sales website of a Lithuanian fashion designer,” Delamotte noted. “Interestingly, all of the identified FBot examples use this website to authenticate the Paypal API requests, and several Legion Stealer examples do so as well.”

Additionally, FBot includes AWS-specific functions to check for AWS Simple Email Service (SES) email configuration data and determine the target account’s EC2 service quota. The Twilio-related functionality is also used to collect details about the account, namely the balance, currency and phone numbers associated with the account.

The features don’t end there as the malware is also capable of extracting login credentials from Laravel environment files.

The cybersecurity company said it has discovered samples from July 2022 through this month, indicating it is being actively used in the wild. That said, it is currently unknown if the tool is actively maintained and how it is distributed to other players.

“We found evidence that FBot is the product of private development work, so contemporary builds could be distributed through a smaller-scale operation,” Delamotte said.

“This ties in with the theme that cloud attack tools are custom ‘private bots’ tailored to the individual buyer, a theme common to AlienFox builds.”


#Pythonbased #FBot #Hacking #Toolkit #targeting #cloud #SaaS #platforms

Notify of
Inline Feedbacks
View all comments
Previous Post
GitHub for Malicious Purposes

Threat actors are increasingly abusing GitHub for malicious purposes

Next Post
Apache OfBiz Vulnerability

New PoC exploit for Apache OfBiz vulnerability puts ERP systems at risk

Related Posts