The financially motivated risk actor known as FIN7 has been linked to a Python-based secret called Anubis ( not to be confused with an Android bank trojan of the same name ) that can give them remote access to affected Windows systems.
In a technical review of the trojan, Swiss cybersecurity firm PRODAFT stated that” this malware allows intruders to perform remote shell instructions and other program operations giving them complete control over an infected machine.
A Russian crime group known for its constantly evolving and growing collection of malicious people that allow for preliminary entry and data eavesdropping is known as FIN7, also known as Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug. The threat actor is said to have changed over to a ransomware affiliate in recent years.
In a likely attempt to diversify its monetization strategy in July 2024, the group was spotted using various online aliases to promote a tool called AuKill ( also known as AvNeutralizer ) that is capable of terminating security tools.
Anubis is thought to have been spread through malspam campaigns, which typically entice victims to put the payload into use on hacked SharePoint sites.
The infection’s starting point is a Python script that is designed to decrypt and execute the main obfuscated payload directly in memory. It is delivered as a ZIP archive. The backdoor starts a conversation with a distant server over a TCP socket in Base64-encoded format once it is launched.
The server’s responses, which are also Base64-encoded, enable it to obtain the host’s IP address, upload/download files, change the current working directory, alter Windows Registry, use PythonMemoryModule to load DLL files into memory, and end itself.
German security firm GDATA claimed that the backdoor also allows the victim system to execute operator-provided responses as a shell command in an independent analysis of Anubis.
Without directly storing these capabilities on the infected system, PRODAFT said,” This enables attackers to perform actions like keylogging, taking screenshots, or stealing passwords.” They reduce the likelihood of detection while still maintaining flexibility for carrying out additional malicious activities by keeping the backdoor as light as possible.