While performing routine security research, one of our threat analysts discovered the latest version of a Command and Control (C2) script, which is referred to as F-Automatical within the script’s code and was commonly known as FoxAuto in older versions. This is the seventh version of this automatic C2 script that is developed and distributed by a threat group called Anonymous Fox. This script is exactly as advertised: a script that automates tasks performed by a threat actor on a compromised web server. While this script is not used to exploit a vulnerability, it is a post-exploitation script that is run from a location under the threat actor’s control and can be used to maintain persistence or upload additional malware on a website that the threat actor has already accessed through an exploited vulnerability.
Some of the malicious functions are built-in, while others are performed by downloading and running additional scripts from a hardcoded location. Threat actors often try to automate anything they can, and this script is one of the more versatile malicious scripts out there. This script allows for anything from simple information stealing attacks, up to full site takeover, and more.
Anonymous Fox is a threat group that was inspired by the works of Anonymous, but is not affiliated with the better-known hacktivists. Publicly, they are mainly focused on NFTs, and have even hired an artist to create images for their NFTs. However, the group also has indicated a strong opposition to governments and large corporations. Anonymous Fox has called for action to be taken to break down public-private partnerships, and has published a list of corporations they would like to hack, including Google and Amazon. In an interesting twist, their tools tend to be used against small businesses and individuals far more often than against corporations and governments.
The Fox Doesn’t Want You to Know What It Says
The initial script itself is only 6 lines of code, with a number of empty lines thrown in. The most important line in the script is line 17. This is where the entire malicious script actually resides, but encoded and compressed.
developed by a Reddit user as a response to a challenge in the r/dailyprogrammer subreddit.
performs many functions, including password resets, uploading and injecting backdoors and mailers, information stealing, attempting to gain access to the server itself, and many other functions. This is also a versatile script because it accounts for different types of servers, as well as common content management systems, including WordPress, Joomla!, OpenCart, and Drupal.
The Fox Hides
Many of the functions are not built into this script. Common scripts and applications may be downloaded and installed from servers under the control of Anonymous Fox. Some of these uploads could be plugins (also known as extensions or modules in non-WordPress websites), or scripts like LeafMailer for sending emails, backdoors and shell scripts, configuration files, and even additional malware or other tools that may be of use to the threat actor. Rather than including these scripts within the F-Automatical script, they are pulled from locations under the control of Anonymous Fox, but these locations are not readily visible within the script. This is another spot where we have to use the functionality in the script to deobfuscate the code and see where these scripts are being pulled from.
two-factor authentication (2FA). This will require a second form of authentication in addition to the password, so even if the threat actor is able to change a password, it won’t be enough to access the account. cPanel now supports 2FA as well, though you may need to contact your host to see if their configuration supports it.
The Fox Shows No Mercy
Remember that list of functions this script could do? Let’s look at option 29. This portion of the script finds the website control panel and accesses a shell to give the threat actor the ability to run the commands of their choosing on an infected system.
Free, Premium, Care, and Response, against exploits targeting WordPress authentication. If you believe your site has been exploited by F-Automatical or any other malware, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
The post What Does The Fox Hack? Breaking Down the Anonymous Fox F-Automatical Script appeared first on Wordfence.