Brother
Professional
- Messages
- 2,590
- Reaction score
- 483
- Points
- 83
A new hacking tool written in Python is being used in attacks on web servers, content management systems, cloud services and SaaS platforms. The toolkit was named FBot.
The hackers’ new toy was described in detail in a report by Alex Delamotte, one of the SentinelOne specialists:
“The key functionality of FBot is the ability to collect credentials for subsequent spam attacks. In addition, the tool allows attacks against PayPal and SaaS accounts.”
Thus, FBot joined other similar toolkits: AlienFox (also steals AWS, Google, Microsoft 365 accounts to send spam), GreenBot, Legion and Predator.
SentinelOne noted that FBot is not closely related to the families mentioned, since there are no references to AndroxGh0st in its code. The task of the new tool is to hack cloud services and steal credentials. After this, all logins and passwords are sold to other cybercriminals.
Additionally, FBot is capable of generating API keys for AWS and Sendgrid, random IP addresses, as well as running IP scanners and even checking the validity of PayPal accounts using email addresses.
“The script creates an API request to PayPal using the website hxxps://www.robertkalinkin.com/index.php, which is a retail resource for a Lithuanian fashion designer,” the researchers explain.
“It’s interesting that FBot chose this site to authenticate API requests to Paypal. By the way, some Legion samples did the same thing.”
The new product also has special functions tailored for AWS: the malware can check the configuration of AWS Simple Email Service (SES). Interestingly, FBot is also capable of extracting creds from Laravel environment files.
The hackers’ new toy was described in detail in a report by Alex Delamotte, one of the SentinelOne specialists:
“The key functionality of FBot is the ability to collect credentials for subsequent spam attacks. In addition, the tool allows attacks against PayPal and SaaS accounts.”
Thus, FBot joined other similar toolkits: AlienFox (also steals AWS, Google, Microsoft 365 accounts to send spam), GreenBot, Legion and Predator.
SentinelOne noted that FBot is not closely related to the families mentioned, since there are no references to AndroxGh0st in its code. The task of the new tool is to hack cloud services and steal credentials. After this, all logins and passwords are sold to other cybercriminals.
Additionally, FBot is capable of generating API keys for AWS and Sendgrid, random IP addresses, as well as running IP scanners and even checking the validity of PayPal accounts using email addresses.
“The script creates an API request to PayPal using the website hxxps://www.robertkalinkin.com/index.php, which is a retail resource for a Lithuanian fashion designer,” the researchers explain.
“It’s interesting that FBot chose this site to authenticate API requests to Paypal. By the way, some Legion samples did the same thing.”
The new product also has special functions tailored for AWS: the malware can check the configuration of AWS Simple Email Service (SES). Interestingly, FBot is also capable of extracting creds from Laravel environment files.
