FBot is a Python-based hacking toolkit, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio. FBot's primary purpose is to enable actors to hijack cloud, SaaS, and web services, with a secondary focus on acquiring accounts for spamming attacks. The tool provides various utilities, including an IP address generator, a port scanner, and an email validator function that utilizes an Indonesian technology service provider for email address validation.
FBot exhibits three distinct functions focused on AWS account attacks. The first, managed by the aws_generator
function, generates a random AWS access key ID and secret key, employing a prefix and randomly selected alphabetic characters. Despite FBot's deviation from Androxgh0st modules, this feature aligns with research on the Legion stealer and an older Androxgh0st variant, remaining unchanged. However, its effectiveness in brute forcing account credentials is doubted due to the vast number of possible combinations. The second function, aws_checker
, performs a Mass AWS Checker, inspecting AWS Simple Email Service details, creating a new user account, and attaching AdministratorAccess
policy for elevated privileges. Unlike other tools, FBot does not delete compromised accounts. The third feature, ec_checker
, serves as an AWS EC2 Checker, reading AWS identities to assess EC2 service quotas and logging results for various regions, providing insights into the account's EC2 configurations and capabilities.