The cybercriminal group FIN7, also known as Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug, has introduced a new Python-based backdoor named Anubis. This malware grants attackers full control over infected Windows machines, enabling remote shell command execution and various system operations.
Background on FIN7
Active since at least 2015, FIN7 has targeted sectors such as finance and hospitality, causing significant global damages. The group is notorious for its custom malware and sophisticated social engineering tactics. In recent years, FIN7 has evolved into a ransomware affiliate, expanding its arsenal to include tools like AuKill (also known as AvNeutralizer), which can disable security software.
Anubis Backdoor Overview
Anubis is a Python-based backdoor designed to evade detection and provide attackers with comprehensive control over compromised systems. It allows for remote shell command execution and various system operations, making it a potent tool for cybercriminals.
Infection Vector and Deployment
The malware is typically delivered through malspam campaigns, where victims are tricked into executing the payload hosted on compromised SharePoint sites. The initial infection vector involves a ZIP archive containing multiple Python files, with a particular focus on a script named conf.py. This script decrypts and executes the main obfuscated payload directly in memory, minimizing its footprint on disk and complicating detection. ([gdatasoftware.com](https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor?utm_source=openai))
Technical Details and Capabilities
Upon execution, Anubis establishes communication with a remote server over a TCP socket, using Base64 encoding for data transmission. The backdoor supports various commands, including:
– Gathering the IP address of the host
– Uploading and downloading files
– Changing the current working directory
– Retrieving environment variables
– Modifying the Windows Registry
– Loading DLL files into memory using PythonMemoryModule
– Terminating its own process
Additionally, Anubis can execute operator-provided responses as shell commands on the victim’s system, enabling actions such as keylogging, taking screenshots, or stealing passwords without directly storing these capabilities on the infected machine. This lightweight design reduces the risk of detection while maintaining flexibility for executing further malicious activities.
Obfuscation and Evasion Techniques
Anubis employs multiple layers of obfuscation to evade detection:
– String Delimiters and Base64 Encoding: The payload is divided using specific delimiters and encoded in Base64 to obscure its content.
– AES Encryption: The actual malicious code is encrypted using AES in CBC mode, adding another layer of complexity.
– Temporary File Execution: The decrypted code is written to a temporary file, executed, and then immediately deleted, leaving minimal traces on the system.
These techniques make static analysis more challenging and help the malware blend in with legitimate system operations. ([gdatasoftware.com](https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor?utm_source=openai))
Persistence Mechanisms
To maintain access to compromised systems, Anubis stores its command and control (C2) configuration in the Windows Registry under HKEY_CURRENT_USER\Software\, followed by two random words (e.g., FormidableHandlers). The configuration is encrypted using AES-CBC with a key derived from the combination of the agent ID and the victim’s computer name, making each infection unique and difficult to decrypt without knowledge of the specific environment. ([gdatasoftware.com](https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor?utm_source=openai))
Implications and Recommendations
The deployment of Anubis underscores FIN7’s continued evolution and sophistication in cyberattacks. Organizations are advised to implement robust email filtering solutions to detect and block malspam campaigns. Regularly updating and patching software can mitigate vulnerabilities exploited by such malware. Additionally, educating employees about the risks of phishing attacks and the importance of verifying the authenticity of emails and links can help prevent initial infections.
By understanding the tactics and tools employed by groups like FIN7, organizations can better prepare and defend against such advanced persistent threats.
