A financially motivated threat actor known as FIN7 is linked to a Python-based backdoor called Anubis (not to be confused with Android Banking Trojan of the same name) that allows remote access to compromised Windows systems.
“The malware allows an attacker to perform remote shell commands and other system operations to give him complete control over the infected machine,” Swiss Cybersecurity Company Prodaft said in a technical report for the malware.
FIN7 is also known as Carbon Spider, Elbras, Gold Niagara, Sangria Tempest, and Savage Ten Bug, a Russian cybercrime group known for its evolving and expanding set of malware families to obtain early access and data exfoliation. In recent years, it is said that threat actors have moved to ransomware affiliate marketing.
In July 2024, the group was observed to promote a tool called Aukill (aka Avneutralizer), which can use a variety of online aliases to terminate security tools in attempts that could diversify their monetization strategies.
Anubis is usually thought to be propagated through the Malspam campaign, which entices victims to run payloads hosted on the compromised SharePoint site.
The entry point for infections delivered in the form of zip archives is a Python script designed to directly decrypt and execute the major obfuscated payloads in memory. Upon booting, the backdoor establishes communication with the remote server via a TCP socket in Base64 encoded format.
Also, responses from the base 64 encoded server collect the host’s IP address, upload/download the file, change the current working directory, change the grab environment variables, change the Windows registry, load the DLL file into memory using PythonMemoryModule and exit.
In an independent analysis of Anubis, German security company GDATA said that the backdoor also supports the ability to perform responses provided by operators as shell commands for the victim system.
“This allows attackers to take actions such as keylogging, taking screenshots, and stealing passwords without storing these features directly on the infected system,” Prodaft said. “By keeping the backdoor as light as possible, we reduce the risk of detection while still maintaining the flexibility to carry out even malicious activities.”
Source link
