X-Industry

FBot is primarily designed for actors to hijack cloud, SaaS, and web services. There is a secondary focus on obtaining accounts to conduct spamming attacks. Actors can use the credential harvesting features to obtain initial access, which they can sell to other parties.[1]  The tool contains assorted utilities, including an IP address generator and port scanner.  An email validator function also uses an Indonesian technology service provider to validate email addresses.

AWS Targeting - FBot has three functions dedicated to AWS account attacks.  The first is an AWS API Key Generator, handled by function aws_generator, which generates a random AWS access key ID by appending 16 randomly selected alphabetic characters to the standard AKIA prefix.  Then, it generates a secret key from 40 randomly selected alphabetic characters.

Despite FBot’s apparent lack of adopting the Androxgh0st modules, the same feature was highlighted in research on the Legion stealer and an older Androxgh0st variant, which has not changed significantly.  Analysts agree with the aforementioned researchers’ conclusion that this feature is unlikely to succeed at brute forcing account credentials due to the possible number of access key and password combinations.

The second AWS feature is a Mass AWS Checker, handled by the function aws_checker. This function checks for AWS Simple Email Service (SES) email configuration details, including the maximum send quota and rate and how many messages have been sent in the past 24 hours, likely to maximize spamming efforts against the targeted account.  It also creates a new user account with the username iDevXploit and the password MCDonald2021D#1337 and attaches the AdminsitratorAccess policy to elevate privileges for the new account.  Unlike other cloud attack tools such as AlienFox, FBot does not delete the compromised account the attacker used to gain access.

Example EC2 quota output captured by FBot’s ec_checker function

The third and final AWS feature is an AWS EC2 Checker, with the description Get EC2 VCPU Limit handled by function ec_checker.  This function reads a list of AWS identities from a text file in the AccessKey|SecretKey|Region format.  The script uses these values to check the targeted account’s EC2 service quotas.  The FBot menu highlights that this can be used to check vCPU details, although the output is less straightforward.  The query results describe the account’s EC2 configurations and capabilities, such as what EC2 instances can run.   The script iterates through a list of specified AWS regions, runs the query again for each region, and logs the result to a text file.

SaaS & Payment Services Targeting - FBot has several features that target payment services and SaaS configurations.  The PayPal Validator feature is handled by paypal_validator.  This function validates PayPal account status by contacting a hardcoded URL with an email address read from an input list.  The email is added to the request in the customer details section to validate whether an email address is associated with a PayPal account.

The script initiates the PayPal API request via hxxps://www.robertkalinkin.com/index.php, a Lithuanian fashion designer’s retail sales website.  Interestingly, all identified FBot samples use this website to authenticate the PayPal API requests, and several Legion Stealer samples do as well.  PayPal Validator crafts the request to this site with a fake item ID and phony customer details, then parses the response for a status message indicating success.

PayPal validation request data

FBot also targets several SaaS platforms, including Sendgrid and Twilio.  The Sendgrid feature is a Sendgrid API Key Generator, which generates a Sendgrid key formatted like:

SG.{22 characters from [A-Z0-9-_]}.{1 more character from previous range}

The Twilio feature takes the Twilio SID and Twilio Auth Token as input, separated by a pipe.  The function then checks the SID & auth token combination for details about the account, including the balance and which currency, and a list of phone numbers connected to the account.

Web Framework Features - FBot has features for validating if URLs host a Laravel environment file and for extracting credentials from those files. The Hidden Config Scanner feature takes a URL as input and crafts an HTTP GET request to several PHP, Laravel, and AWS-related URIs where configuration values may be stored, including:

The response is parsed for keys and secrets related to the following services and the result is written to a text file:

FBot also targets several popular Content Management Systems (CMS). The function cms_scanner contains a map of CMS and web frameworks to regular expressions (regex) associated with the service.  The program creates a request to the targeted URL and parses the response for the following technologies:

Taxonomy - FBot relies on configuration values to be fed to it through a configuration file (.ini) or through headers that initiate the main class.  Sentinel Labs identified one version that is compiled as a Windows executable.

The string iDevXploit is present across all samples: this handle is credited as the author in the main class.  Additionally, the aws_checker function leaves artifacts in targeted AWS consoles: when FBot creates a new user in the AWS account, the username iDevXploit is consistent across samples, along with the password MCDonald2021D#1337.  Unlike many similar cloud hacktools, FBot does not contain references to the open-source Androxgh0st code found in tools like AlienFox, GreenBot, and Predator.  The logic implemented is very similar: Both Androxgh0st and FBot parse environment configuration files for credentials related to similar mail & cloud services. Still, the implementation is different, and no code seems directly borrowed.

There is considerable overlap with the Legion cloud infostealer in how the tools scrape URLs for PHP configuration.  However, FBot is much smaller and less fully featured than Legion, with FBot samples weighing in at approximately 200 KB and Legion ranging from 800-1200 KB in size.

Conclusion - FBot demonstrates another tool family that continues the trend of adopting cloud attack tool code from one tool into another while maintaining its own distinct flavor. We have seen samples spanning July 2022 to January 2024, showing this tool's continued proliferation.  However, there are relatively few changes across versions, and whether this is actively maintained is unclear.

As of this report, Sentinel Labs cannot identify a distribution channel dedicated to FBot, differentiating the tool from other cloud infostealers often sold on Telegram.  The bot has references to buffer_0x0verfl0w, a Telegram channel associated with various crimeware that has since been retired.  However, analysts found indications that FBot is the product of private development work so that contemporary builds may be distributed through a smaller-scale operation.  This aligns with the theme of cloud attack tools being bespoke ‘private bots’ tailored for the individual buyer, a theme prevalent among AlienFox builds.

Organizations should enable multi-factor authentication (MFA) for AWS services with programmatic access.  Create alerts that notify security operations teams when a new AWS user account is added to the organization and alerts for new identities added or significant configuration changes to SaaS bulk mailing applications where possible.

Indicators of Compromise

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

[1] https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/