What Does The Fox Hack? Breaking Down the Anonymous Fox F-Automatical Script
While performing routine security research, one of our threat analysts discovered the latest version of a Command and Control (C2) script, which is referred to as F-Automatical within the script’s code and was commonly known as FoxAuto in older versions. This is the seventh version of this automatic C2 script that is developed and distributed by a threat group called Anonymous Fox. This script is exactly as advertised: a script that automates tasks performed by a threat actor on a compromised web server. While this script is not used to exploit a vulnerability, it is a post-exploitation script that is run from a location under the threat actor’s control and can be used to maintain persistence or upload additional malware on a website that the threat actor has already accessed through an exploited vulnerability.
Some of the malicious functions are built-in, while others are performed by downloading and running additional scripts from a hardcoded location. Threat actors often try to automate anything they can, and this script is one of the more versatile malicious scripts out there. This script allows for anything from simple information stealing attacks, up to full site takeover, and more.
Anonymous Fox is a threat group that was inspired by the works of Anonymous, but is not affiliated with the better-known hacktivists. Publicly, they are mainly focused on NFTs, and have even hired an artist to create images for their NFTs. However, the group also has indicated a strong opposition to governments and large corporations. Anonymous Fox has called for action to be taken to break down public-private partnerships, and has published a list of corporations they would like to hack, including Google and Amazon. In an interesting twist, their tools tend to be used against small businesses and individuals far more often than against corporations and governments.
The Fox Doesn’t Want You to Know What It Says
The initial script itself is only 6 lines of code, with a number of empty lines thrown in. The most important line in the script is line 17. This is where the entire malicious script actually resides, but encoded and compressed.
Once this line has been decompressed and decoded, we find a much larger script, consisting of more than 2,500 lines of code. While there is still a layer of obfuscation in place, a significant portion of the script is now readable by anyone who knows Python. The remaining obfuscation seems to be using an obscure method of encoding the text, based on a method developed by a Reddit user as a response to a challenge in the r/dailyprogrammer subreddit.
While this obfuscation method is well documented, which makes reversing the obfuscation possible, some well-placed print statements can make fast work of decoding important pieces of the script. This obfuscation could be considered overkill, considering the fact that a capital ‘F’ is encoded as
str("".join(chr(__RSV) for __RSV in [(___neoostdfluai+____hyrblqdmgtxk+(((((__ehykazitkvvj