www.sentinelone.com
Open in
urlscan Pro
104.26.3.18
Public Scan
URL:
https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/
Submission: On January 12 via api from TR — Scanned from DE
Submission: On January 12 via api from TR — Scanned from DE
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<span class="light">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg" alt="Search Icon White" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg" alt="Navigation Close" width="18" height="16">
</span>
<span class="dark">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg" alt="Search Icon" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg" alt="Navigation Close Dark" width="18" height="16">
</span>
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087"><input type="hidden" name="dataString"
class="mktoField mktoFieldDescriptor" value=""><input type="hidden" name="GCLID__c" class="mktoField mktoFieldDescriptor" value="">
</form><form id="mktoForm_2673" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2673"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087"><input type="hidden" name="dataString"
class="mktoField mktoFieldDescriptor" value=""><input type="hidden" name="GCLID__c" class="mktoField mktoFieldDescriptor" value="">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
*
*
* ABOUT
* CVE DATABASE
* CONTACT
* VISIT SENTINELONE.COM
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
Get a Demo
Back
* ABOUT
* CVE DATABASE
* CONTACT
* VISIT SENTINELONE.COM
Get a Demo
Crimeware
EXPLORING FBOT | PYTHON-BASED MALWARE TARGETING CLOUD AND PAYMENT SERVICES
Alex Delamotte / January 11, 2024
EXECUTIVE SUMMARY
* FBot is a Python-based hacking tool distinct from other cloud malware
families, targeting web servers, cloud services, and SaaS platforms like AWS,
Office365, PayPal, Sendgrid, and Twilio.
* FBot does not utilize the widely-used Androxgh0st code but shares
similarities with the Legion cloud infostealer in functionality and design.
* Key features include credential harvesting for spamming attacks, AWS account
hijacking tools, and functions to enable attacks against PayPal and various
SaaS accounts.
* FBot is characterized by a smaller footprint compared to similar tools,
indicating possible private development and a more targeted distribution
approach.
OVERVIEW
The cloud hacktool scene is highly intertwined, with many tools relying on one
another’s code. This is particularly true for malware families like AlienFox,
Greenbot, Legion, and Predator, which share code from a credential scraping
module called Androxgh0st.
We identified a tool that is related but distinct from these families. FBot is a
Python-based attack tool with features to target web servers and cloud services
as well as Software-as-a-Service (SaaS) technologies, including:
* Amazon Web Services (AWS)
* Office365
* PayPal
* Sendgrid
* Twilio
FBot is unique in that it does not apparently adapt the Androxgh0st code so
common among similar hacktools, though the earliest reference to FBot is one
year more recent than the first sighting of Androxgh0st. However, there are
several connections to the Legion cloud infostealer, making it likely the Legion
maintainer adapted code from FBot into their tool.
FBot is primarily designed for actors to hijack cloud, SaaS, and web services.
There is a secondary focus on obtaining accounts to conduct spamming attacks.
Actors can use the credential harvesting features to obtain initial access,
which they can sell to other parties.
The tool contains assorted utilities, including an IP address generator and port
scanner. There is also an email validator function, which uses an Indonesian
technology service provider to validate email addresses.
FBot menu and list of features
AWS TARGETING
FBot has three functions dedicated to AWS account attacks. The first is an AWS
API Key Generator, handled by function aws_generator, which generates a random
AWS access key ID by appending 16 randomly selected alphabetic characters to the
standard AKIA prefix. Then, it generates a secret key from 40 randomly selected
alphabetic characters.
Despite FBot’s apparent lack of adopting the Androxgh0st modules, the same
feature was highlighted in research on the Legion stealer as well as an older
Androxgh0st variant, and it has not changed significantly. We agree with the
aforementioned researchers’ conclusion that this feature is unlikely to succeed
at brute forcing account credentials due to the possible number of access key
and password combinations.
The second AWS feature is a Mass AWS Checker, handled by function aws_checker.
This function checks for AWS Simple Email Service (SES) email configuration
details, including the maximum send quota and rate, as well as how many messages
have been sent in the past 24 hours, likely to maximize spamming efforts against
the targeted account. It also creates a new user account with the username
iDevXploit and the password MCDonald2021D#1337 and attaches the
AdminsitratorAccess policy to elevate privileges for the new account. Unlike
other cloud attack tools such as AlienFox, FBot does not delete the compromised
account that the attacker used to gain access.
The third and final AWS feature is an AWS EC2 Checker, with the description Get
EC2 VCPU Limit, which is handled by function ec_checker. This function reads a
list of AWS identities from a text file in the format of
AccessKey|SecretKey|Region. The script uses these values to check the targeted
account’s EC2 service quotas. The FBot menu highlights that this can be used to
check vCPU details, although the output is less straightforward. The query
results describe the account’s EC2 configurations and capabilities, such as what
types of EC2 instances can run. The script iterates through a list of specified
AWS regions, runs the query again for each region, and logs the result to a text
file.
Example EC2 quota output captured by FBot’s ec_checker function
SAAS & PAYMENT SERVICES TARGETING
FBot has several features that target payment services as well as SaaS
configurations.
The PayPal Validator feature is handled by paypal_validator. This function
validates PayPal account status by contacting a hardcoded URL with an email
address read from an input list. The email is added to the request in the
customer details section to validate whether an email address is associated with
a PayPal account.
The script initiates the Paypal API request via the website
hxxps://www.robertkalinkin.com/index.php, which is a Lithuanian fashion
designer’s retail sales website. Interestingly, all identified FBot samples use
this website to authenticate the PayPal API requests, and several Legion Stealer
samples do as well.
PayPal Validator crafts the request to this site with a fake item ID as well as
phony customer details, then parses the response for a status message indicating
success.
PayPal validation request data
FBot also targets several SaaS platforms, including Sendgrid and Twilio. The
Sendgrid feature is a Sendgrid API Key Generator, which generates a Sendgrid key
formatted like:
SG.{22 characters from [A-Z0-9-_]}.{1 more character from previous range}
The Twilio feature takes the Twilio SID and Twilio Auth Token as input,
separated by a pipe. The function then checks the SID & auth token combination
for details about the account, including the balance and which currency, a list
of phone numbers connected to the account.
WEB FRAMEWORK FEATURES
FBot has features for validating if URLs host a Laravel environment file and for
extracting credentials from those files. The Hidden Config Scanner feature takes
a URL as input and crafts an HTTP GET request to several PHP, Laravel, and
AWS-related URIs where configuration values may be stored, including:
_profiler/phpinfo config.js .env config/aws.yml .env.bak info.php aws.yml
phpinfo aws/credentials phpinfo.php
The response is parsed for keys and secrets related to the following services
and the result is written to a text file:
AWS MandrillApp Coinpayments Office365 DB_USERNAME (generic database) Plivo
Ionos Sendgrid MAIL_PASSWORD (generic SMTP) Twilio Mailgun
FBot also targets several popular Content Management Systems (CMS). The function
cms_scanner contains a map of CMS and web frameworks to regular expressions
(regex) associated with the service. The program creates a request to the
targeted URL and parses the response for the following technologies:
Codeigniter Laravel phpBB Discuz Lithium PrestaShop Drupal Magento vBulletin
Esportsify MediaWiki Whmcs FluxBB Moodle WordPress Invision Ning YetAnotherForum
Jive OpenCart ZenCart Joomla osCommerce Zimbra
TAXONOMY
FBot relies on configuration values to be fed to it through a configuration file
(.ini), or through headers that initiate the main class. We identified one
version that is compiled as a Windows executable.
The string iDevXploit is present across all samples: this handle is credited as
the author in the main class. Additionally, the aws_checker function leaves
artifacts in targeted AWS consoles: when FBot creates a new user in the AWS
account, the username iDevXploit is consistent across samples, along with the
password MCDonald2021D#1337.
Unlike many similar cloud hacktools, FBot does not contain references to the
open-source Androxgh0st code found in tools like AlienFox, GreenBot, and
Predator. The logic implemented is very similar in that both Androxgh0st and
FBot parse environment configuration files for credentials related to similar
mail & cloud services, but the implementation is different and no code seems to
be directly borrowed.
There is considerable overlap with the Legion cloud infostealer in how the tools
scrape URLs for PHP configuration. However, FBot is much smaller and less fully
featured than Legion, with FBot samples weighing in at approximately 200 KB and
Legion ranging from 800-1200 KB in size.
CONCLUSION
FBot demonstrates another tool family that continues the trend of adopting cloud
attack tool code from one tool into another, while maintaining its own distinct
flavor. We have seen samples spanning July 2022 to January 2024, showing there
is continued proliferation of this tool. However, there are relatively few
changes across versions and it is unclear whether this is actively maintained.
As of this writing, we are unable to identify a distribution channel dedicated
to FBot, which differentiates the tool from other cloud infostealers often sold
on Telegram. The bot has references to buffer_0x0verfl0w, a Telegram channel
associated with various crimeware that has since been retired. However, we found
indications that FBot is the product of private development work, so
contemporary builds may be distributed through a smaller scale operation. This
aligns with the theme of cloud attack tools being bespoke ‘private bots’
tailored for the individual buyer, which is a theme prevalent among AlienFox
builds.
Organizations should enable multi-factor authentication (MFA) for AWS services
with programmatic access. Create alerts that notify security operations teams
when a new AWS user account is added to the organization, as well as alerts for
new identities added or major configuration changes to SaaS bulk mailing
applications where possible.
INDICATORS OF COMPROMISE
SHA1 Notes 1ad78e99918fd66ed43d42a93d2f910a2173b3c5 Bot.py, January 2024 version
of FBot 2becd32162b2b0cb1afc541e33ace3a29dad96f1 April 2023 version of FBot
8ba3fca4deada6dbdc94b17a0c3c55a0b785331e Bot.py, July 2022 version of FBot
iDevXploit Hardcoded AWS IAM Username MCDonald2021D#1337 Hardcoded AWS IAM User
password
Crimeware
SHARE
PDF
ALEX DELAMOTTE
Alex's passion for cybersecurity is humbly rooted in the early aughts, when she
declared a vendetta against a computer worm. Over the past decade, Alex has
worked with blue, purple, and red teams serving companies in the technology,
financial, pharmaceuticals, and telecom sectors and she has shared research with
several ISACs. Alex enjoys researching the intersection of cybercrime and
state-sponsored activity. She relentlessly questions why actors pivot to a new
technique or attack surface. In her spare time, she can be found DJing or
servicing her music arcade games.
Prev
LABSCON REPLAY | SPECTRE STRIKES AGAIN: INTRODUCING THE FIRMWARE EDITION
RELATED POSTS
CLOUDY WITH A CHANCE OF CREDENTIALS | AWS-TARGETING CRED STEALER EXPANDS TO
AZURE, GCP
July 13 2023
HYPERVISOR RANSOMWARE | MULTIPLE THREAT ACTOR GROUPS HOP ON LEAKED BABUK CODE TO
BUILD ESXI LOCKERS
May 11 2023
ICEFIRE RANSOMWARE RETURNS | NOW TARGETING LINUX ENTERPRISE NETWORKS
March 09 2023
SEARCH
Search ...
SIGN UP
Get notified when we post new content.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties. This site is protected by reCAPTCHA and the
Google Privacy Policy and Terms of Service apply.
Thanks! Keep an eye out for new content!
RECENT POSTS
* LABScon Replay | Spectre Strikes Again: Introducing the Firmware Edition
December 28, 2023
* LABSCon Replay | Intellexa and Cytrox: From Fixer-Upper to Intel Agency Grade
Spyware
December 26, 2023
* Gaza Cybergang | Unified Front Targeting Hamas Opposition
December 14, 2023
LABS CATEGORIES
* Crimeware
* Security Research
* Advanced Persistent Threat
* Adversary
* LABScon
* Security & Intelligence
SENTINELLABS
In the era of interconnectivity, when markets, geographies, and jurisdictions
merge in the melting pot of the digital domain, the perils of the threat
ecosystem become unparalleled. Crimeware families achieve an unparalleled level
of technical sophistication, APT groups are competing in fully-fledged cyber
warfare, while once decentralized and scattered threat actors are forming
adamant alliances of operating as elite corporate espionage teams.
RECENT POSTS
* LABScon Replay | Spectre Strikes Again: Introducing the Firmware Edition
December 28, 2023
* LABSCon Replay | Intellexa and Cytrox: From Fixer-Upper to Intel Agency Grade
Spyware
December 26, 2023
* Gaza Cybergang | Unified Front Targeting Hamas Opposition
December 14, 2023
SIGN UP
Get notified when we post new content.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties. This site is protected by reCAPTCHA and the
Google Privacy Policy and Terms of Service apply.
Thanks! Keep an eye out for new content!
* Twitter
* LinkedIn
©2024 SentinelOne, All Rights Reserved.
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button Back
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Cookies Settings Accept All Cookies
We'd like to show you notifications for the latest news and updates.
AllowCancel