FBot is a Python-based hacking tool targeting cloud services and SaaS platforms such as AWS, Office365, PayPal, Sendgrid, and Twilio, with a focus on credential harvesting and cloud account hijacking. It remains smaller and distinct from Androxgh0st while showing ties to Legion, suggesting private development and targeted distribution. #FBot #AWS #PayPal #Sendgrid #Twilio #Legion #Androxgh0st
Keypoints
- FBot targets major cloud and SaaS services (AWS, Office365, PayPal, Sendgrid, Twilio).
- It is distinct from Androxgh0st but shows connections to Legion, implying code sharing or lineage.
- Core use cases include credential harvesting for spamming, hijacking AWS accounts, and targeting PayPal/SaaS.
- The tool has a small footprint (~200 KB), hinting at private development and bespoke distribution.
- AWS targeting features include an AWS API Key Generator (aws_generator), a Mass AWS Checker (aws_checker) that creates an iDevXploit admin user, and an EC2 quota checker (ec_checker).
- For SaaS/Payment, it includes a PayPal Validator via a hardcoded PayPal API endpoint and generators/checkers for Sendgrid and Twilio.
- Web framework capabilities include Hidden Config Scanner and a CMS detector (cms_scanner) to identify credentials and CMS technologies.
MITRE Techniques
- [T1136] Create Account – “The Mass AWS Checker … creates a new user account with the username iDevXploit and the password MCDonald2021D#1337 and attaches the AdminsitratorAccess policy to elevate privileges for the new account.”
- [T1552.001] Credentials in Files – “The Hidden Config Scanner … parses for keys and secrets related to the following services and the result is written to a text file” and targets files like .env, aws.yml, aws/credentials.
- [T1583.003] Acquire Cloud Infrastructure – “AWS API Key Generator” generates an AWS access key ID and secret key; and the tool’s AWS checks (aws_checker) work toward credential-based access to cloud resources.
- [T1078] Valid Accounts – The tool creates and uses a new AWS IAM account (iDevXploit) with AdministratorAccess to gain and maintain access.
Indicators of Compromise
- [SHA1] Bot samples and versions – 1ad78e99918fd66ed43d42a93d2f910a2173b3c5, 2becd32162b2b0cb1afc541e33ace3a29dad96f1, 8ba3fca4deada6dbdc94b17a0c3c55a0b785331e (described as Bot.py, January 2024; April 2023; July 2022 versions respectively)
- [Credential] Hardcoded AWS IAM Username – iDevXploit
- [Credential] Hardcoded AWS IAM Password – MCDonald2021D#1337
- [Domain] PayPal API endpoint domain – robertkalinkin.com (used for PayPal validation requests)