Introduction
Cybersecurity researchers have uncovered a new chapter in the operations of FIN7, a well-known financially motivated cybercrime group. This threat actor has now been associated with a Python-based backdoor named Anubis—distinct from the Android banking trojan of the same name. The malware enables attackers to gain full remote access to compromised Windows machines, underlining FIN7’s continuous evolution and technical capabilities.
The Anubis Malware: Capabilities and Delivery Method
The Anubis backdoor is engineered to provide attackers with remote shell access and a range of administrative-level controls over infected systems. According to a technical analysis by Swiss cybersecurity firm PRODAFT, once deployed, Anubis empowers attackers to perform various system operations, essentially giving them full command of the target environment.
This malicious tool is believed to be distributed through malspam campaigns, with attackers luring victims into downloading payloads hosted on compromised Microsoft SharePoint sites. The infection chain typically begins with a ZIP file that contains a Python script. This script decrypts and executes the main obfuscated payload directly in system memory, thus avoiding detection by conventional security solutions.
Advanced Communication and Command Execution
Anubis establishes a communication channel with its command-and-control (C2) server using Base64-encoded data transmitted over a TCP socket. This mechanism facilitates multiple remote operations, such as:
-
Collecting the IP address of the compromised system
-
Uploading and downloading files
-
Modifying the current working directory
-
Accessing environment variables
-
Editing Windows Registry entries
-
Injecting DLL files into memory using PythonMemoryModule
-
Self-termination
German cybersecurity company G DATA has independently confirmed that Anubis can execute commands received from the server directly in the system shell. This includes tasks like keylogging, capturing screenshots, and harvesting user credentials—all without embedding those functions directly into the malware. This lightweight approach minimizes its digital footprint, making it more difficult for security tools to detect the backdoor’s presence.
FIN7’s Broader Cybercrime Activity
FIN7—also identified under aliases such as Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug—has long been recognized for its dynamic malware ecosystem. Initially focused on gaining unauthorized access and extracting sensitive data, the group has recently expanded its operations to include ransomware-related activities, likely through affiliate programs.
In mid-2024, researchers observed FIN7 promoting a security-disabling tool known as AuKill (also referred to as AvNeutralizer). The tool is designed to neutralize endpoint protection software, signaling the group’s attempt to diversify its monetization strategies and strengthen its foothold in compromised environments.
Conclusion
The discovery of the Anubis backdoor illustrates the advanced capabilities and persistent threat posed by FIN7. By leveraging Python-based scripting and in-memory execution, the group minimizes the malware’s visibility while maintaining extensive control over infected systems. Organizations must remain vigilant, strengthen email filtering and endpoint defenses, and ensure timely updates to security protocols to counter such sophisticated threats. As FIN7 continues to evolve, so must the strategies for defending against their increasingly covert operations.
0 Comments