FBot is used to take over Amazon Web Services (AWS) accounts in addition to targeting PayPal and other various SaaS applications, such as Office365, SentinelLabs revealed.
SentinelLabs unveiled a report identifying a Python-based tool that cybercriminals are using to compromise cloud computing and software-as-a-service (SaaS) platforms. Alex Delamotte, senior threat researcher at SentinelLabs, said FBot is used to take over Amazon Web Services (AWS) accounts in addition to targeting PayPal and other various SaaS applications, such as Office365.
FBot contains multiple utilities, including an IP address generator and port scanner. There is also an email validator function, which uses an Indonesian technology service provider to validate email addresses. The tool itself appears to be of Indonesian origin, said Dellamotte. The letter F in the tool stands for a term that appears to have been adopted to help market the tool to cybercriminals.
FBot has three functionalities that are dedicated to AWS account attacks. The first is an AWS API Key Generator, handled by function aws_generator, which generates a random AWS access key ID by appending 16 randomly selected alphabetic characters to the standard AKIA prefix. It then generates a secret key from 40 randomly selected alphabetic characters.