A financially motivated threat actor known as FIN7 has been linked to a Python-based backdoor called Anubis, which is not to be confused with an Android banking trojan with the same name. This backdoor enables the threat actors to gain remote access to compromised Windows systems.
According to Swiss cybersecurity company PRODAFT, in a technical report on the malware, “This malware allows attackers to execute remote shell commands and other system operations, giving them full control over an infected machine.”
FIN7, also known as Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug, is a Russian cybercrime group known for its constantly evolving and expanding set of malware families used for obtaining initial access and data exfiltration. Recently, the group has transitioned into a ransomware affiliate.
In July 2024, the group was observed using various online aliases to promote a tool called AuKill (also known as AvNeutralizer), which is capable of terminating security tools, likely in an attempt to diversify its monetization strategy.
Anubis is believed to be spread through malspam campaigns that trick victims into executing the payload hosted on compromised SharePoint sites.
The malware is delivered in the form of a ZIP archive, with the entry point of the infection being a Python script designed to decrypt and execute the main obfuscated payload directly in memory. Once launched, the backdoor establishes communication with a remote server over a TCP socket in Base64-encoded format.
The responses from the server, also Base64-encoded, enable the backdoor to gather the IP address of the host, upload/download files, change the current working directory, grab environment variables, alter Windows Registry, load DLL files into memory using PythonMemoryModule, and terminate itself.
According to an independent analysis of Anubis by German security company GDATA, the backdoor also supports the ability to run operator-provided responses as a shell command on the victim system, stating that this feature enables attackers to perform actions such as keylogging, taking screenshots, or stealing passwords without directly storing these capabilities on the infected system.
As noted by PRODAFT, “By keeping the backdoor as lightweight as possible, they reduce the risk of detection while maintaining flexibility for executing further malicious activities.”
