The article analyzes F-Automatical (FoxAuto) as Anonymous Fox’s seventh version of an automatic C2 script that runs post-exploitation tasks on compromised web servers. It covers how the script can persist, fetch remote modules, target multiple CMS, obfuscate its payload, reset cPanel passwords, and even capture and upload screenshots via Gyazo, with observable indicators and defenses discussed.
#F_Automatical #AnonymousFox
#F_Automatical #AnonymousFox
Keypoints
- F-Automatical is the seventh version of Anonymous Fox’s automatic C2 script, designed for post-exploitation on compromised sites.
- It automates a wide range of attacker tasks, including persistence, backdoors, information stealing, and potential site takeover.
- Some functions are built-in, while others are downloaded from attacker-controlled locations, using hardcoded remote scripts.
- The toolkit is versatile across CMS platforms and server types, including WordPress, Joomla!, OpenCart, and Drupal.
- Heavy obfuscation is used, with the main payload hidden in encoded/compressed lines and multi-layer encoding.
- It can reset cPanel passwords via WHM to compromise multiple sites and may provide shell access to infected systems; 2FA is recommended as a mitigation.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The script downloads and runs additional scripts from a hardcoded location. ‘downloading and running additional scripts from a hardcoded location’
- [T1027] Obfuscated/Compressed Files or Information – The main payload resides encoded and compressed after decompression/decoding. ‘encoded and compressed’
- [T1059.004] Unix Shell – The script configures a new shell connection to allow the attacker to run commands on the infected server. ‘configures a new shell connection that the threat actor can send malicious commands to the server through’
- [T1567.002] Exfiltration to Cloud Storage – Gyazo API usage to take and upload screenshots of compromised assets for proof and resale. ‘take screenshots of successfully uploaded webshells and mailer scripts, typically used as proof when reselling access to a hacked site, and to save them in a searchable and web-accessible location’
- [T1136] Create or Modify Accounts – WHM-based password resets (cPanel) to gain or maintain access across sites. ‘reset cPanel passwords’
Indicators of Compromise
- [File Hashes] Observed sample hashes for multiple script variants – F.py (MD5: 49a4a453b10715f0ed0ab3775dce76d8, SHA-256: ae544ff7385af2dcb57ecb1e3193048a59639e203334b90c5b29dc96730b08ed), f.php (MD5: 88c69bd369d3400efcb517ad799f5e32, SHA-256: 0e8cb823c8ba1ada61cba424709028a306f54ff596292070e0d00b4dea94799c). and 2 more hashes
- [IP Addresses] Infrastructure used by attackers – 104.21.33.221, 104.21.55.215, and 6 more addresses
- [Domain Names] Malicious domains referenced by the script – fcs.is, ufox.co, and 3 more domains (e.g., youfox.co, anonymousfox.co.uk, anonymousfox.is)
- [User-Agent] Unique user-agent string associated with the tool – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
- [File Names] Sample files linked to the toolkit – F.py, f.php, and 2 more files (e.g., llsjxdcr.php, mblircic.php)