The economically motivated risk actor known as FIN7 has been linked to a Python-based secret called Anubis ( not to be confused with an Android bank trojan of the same name ) that enables them to gain remote access to affected Windows techniques.
In a technical review of the trojan, Swiss cybersecurity firm PRODAFT stated that” this malware allows intruders to perform remote shell instructions and other program operations giving them complete control over an infected machine.
A Russian crime group known for its constantly evolving and growing collection of malicious people that allow for preliminary entry and data eavesdropping is known as FIN7, also known as Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug. The risk actor is said to have recently become a malware affiliate.
In a good effort to extend its marketing strategy in July 2024, the team was spotted using different online aliases to promote a tool called AuKill ( also known as AvNeutralizer ) that is worthy of terminating security tools.
Anubis is thought to have been spread through malspam attacks, which generally conjure up victims to execute the cargo hosted on hacked SharePoint sites.
The infection’s starting point is a Python script that is designed to decrypt and execute the principal obfuscated payload immediately in memory. It is delivered as a ZIP archive. The secret starts a conversation with a distant server over a TCP outlet in Base64-encoded format once it is launched.
The server’s responses, which are also Base64-encoded, allow it to use PythonMemoryModule to insert DLL files into memory, use PythonMemoryModule, change the host’s IP address, upload/download files, change the current working directory, change the Windows Registry, change the host’s recent working directory, and terminate itself.
European security firm GDATA claimed that the secret also allows the sufferer structure to execute operator-provided responses as a barrel command in an impartial analysis of Anubis.
According to PRODAFT,” This enables intruders to execute actions like keylogging, taking screenshots, or stealing passwords without instantly storing these capabilities on the sick system.” They reduce the likelihood of recognition while still maintaining versatility for carrying out additional nefarious activities by keeping the backdoor as light as possible.