While performing routine security research, one of our threat analysts discovered the latest version of a Command and Control (C2) script, which is referred to as F-Automatical within the script’s code and was commonly known as FoxAuto in older versions. This is the seventh version of this automatic C2 script that is developed and distributed by a threat group called Anonymous Fox. This script is exactly as advertised: a script that automates tasks performed by a threat actor on a compromised web server. While this script is not used to exploit a vulnerability, it is a post-exploitation script that is run from a location under the threat actor’s control and can be used to maintain persistence or upload additional malware on a website that the threat actor has already accessed through an exploited vulnerability.
Some of the malicious functions are built-in, while others are performed by downloading and running additional scripts from a hardcoded location. Threat actors often try to automate anything they can, and this script is one of the more versatile malicious scripts out there. This script allows for anything from simple information stealing attacks, up to full site takeover, and more.
Anonymous Fox is a threat group that was inspired by the works of Anonymous, but is not affiliated with the better-known hacktivists. Publicly, they are mainly focused on NFTs, and have even hired an artist to create images for their NFTs. However, the group also has indicated a strong opposition to governments and large