The financially motivated risk actor often known as FIN7 has been linked to a Python-based backdoor known as Anubis (to not be confused with an Android banking trojan of the identical title) that may grant them distant entry to compromised Home windows methods.
“This malware permits attackers to execute distant shell instructions and different system operations, giving them full management over an contaminated machine,” Swiss cybersecurity firm PRODAFT mentioned in a technical report of the malware.
FIN7, additionally known as Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug, is a Russian cybercrime group identified for its ever-evolving and increasing set of malware households for acquiring preliminary entry and information exfiltration. Lately, the risk actor is alleged to have transitioned to a ransomware affiliate.
In July 2024, the group was noticed utilizing numerous on-line aliases to promote a instrument known as AuKill (aka AvNeutralizer) that is able to terminating safety instruments in a possible try to diversify its monetization technique.
Anubis is believed to be propagated by way of malspam campaigns that sometimes entice victims into executing the payload hosted on compromised SharePoint websites.
Delivered within the type of a ZIP archive, the entry level of the an infection is a Python script that is designed to decrypt and execute the primary obfuscated payload straight in reminiscence. As soon as launched, the backdoor establishes communications with a distant server over a TCP socket in Base64-encoded format.
The responses from the server, additionally Base64-encoded, enable it to collect the IP deal with of the host, add/obtain recordsdata, change the present working listing, seize surroundings variables, alter Home windows Registry, load DLL recordsdata into reminiscence utilizing PythonMemoryModule, and terminate itself.
In an impartial evaluation of Anubis, German safety firm GDATA mentioned the backdoor additionally helps the flexibility to run operator-provided responses as a shell command on the sufferer system.
“This permits attackers to carry out actions similar to keylogging, taking screenshots, or stealing passwords with out straight storing these capabilities on the contaminated system,” PRODAFT mentioned. “By preserving the backdoor as light-weight as doable, they scale back the danger of detection whereas sustaining flexibility for executing additional malicious actions.”
