A new report released today by SentinelLabs, the research arm of listed cybersecurity company SentinelOne Inc., is warning of a new sophisticated Python-based malware targeting cloud and payment services.

Dubbed “FBot,” the malware is said to represent a significant threat due to its specific targeting of web servers, cloud services and software-as-a-service platforms, including Amazon Web Services Inc., Microsoft Corp.’s Office365, PayPal Holdings Inc., Sendgrid Inc. and Twilio Inc..

Differing from other forms of cloud malware, FBot is not derived from the commonly used Androxgh0st code, but instead shares similarities with the Legion cloud infostealer, suggesting a different lineage in malware development. Its primary functions include credential harvesting, AWS account hijacking tools and capabilities to attack PayPal and various SaaS accounts.

FBot is said to be characterized by a smaller footprint compared with similar tools, indicating possible private development and a more focused distribution strategy.

The malware features a range of tools, including an IP address generator, port scanner, email validator, AWS API Key Generator, Mass AWS Checker, AWS EC2 Checker and specific tools targeting Sendgrid and Twilio. FBot is also capable of targeting popular content management systems such as WordPress.

It also has features for validating if URLs host a Laravel environment file, a configuration file used in Laravel applications to store environment-specific variables such as database credentials, application programming interface keys and other sensitive information. Operating through configuration files or headers, FBot is also available in versions compiled as a Windows executable.

The SentinelLabs researchers argue that the private nature of FBot’s development sets it apart from other widely distributed malware tools. The report warns of FBot’s potential impact on cloud and payment security and a need for heightened vigilance among organizations. Organizations are advised to enable multifactor authentication for AWS accounts if they haven’t done so already and to set up alerts for unusual activities in their cloud services to mitigate the risk posed by this emerging threat.

“Create alerts that notify security operations teams when a new AWS user account is added to the organization, as well as alerts for new identities added or major configuration changes to SaaS bulk mailing applications where possible,”  the researchers conclude.

Image: DALL-E 3