A sophisticated new Python-based backdoor called Anubis, developed by the Russian cybercrime group FIN7, has emerged as a serious threat targeting Windows systems. The malware provides attackers with comprehensive remote access capabilities while employing advanced evasion techniques.
The Anubis backdoor, distributed through phishing campaigns and compromised SharePoint sites, arrives as a ZIP package containing Python scripts and executables. Its modular design allows attackers to dynamically load malicious functionalities and execute system commands while remaining largely undetected by antivirus solutions.
"The malware demonstrates remarkable adaptability in its execution methods, showing the threat actor's commitment to diversifying their attack approaches," notes cybersecurity firm PRODAFT in their recent analysis.
Key capabilities of the Anubis backdoor include:
- Remote shell command execution
- Registry modifications
- Dynamic loading of DLL files
- Keylogging functionality
- File transfer operations
- Python code execution
The malware employs AES-CBC encryption with base64 encoding for its communications, utilizing a TCP socket infrastructure that can switch between servers if connection attempts fail. Upon infection, it reports the process ID and local IP address to its command-and-control servers.
FIN7, also known as Savage Ladybug or Carbanak, has targeted U.S. businesses in the restaurant, gambling, and hospitality sectors since 2015. The group primarily focuses on harvesting financial information for attacks or sale on cybercrime markets.
While the backdoor's obfuscation techniques resemble tools like PyObfuscate or Anubis Obfuscator, making analysis challenging, security researchers note that the complexity level remains moderate. However, its ability to evade detection and maintain persistent access to compromised systems presents a notable threat to enterprise environments.