The notorious FIN7 hacking group, known for their financially motivated attacks, are at it again. This time, they're using a sneaky Python-based backdoor called "Anubis" to gain remote control over compromised Windows machines. Just to be clear, this isn't the same as that Android banking trojan with the same name.

According to a technical report by PRODAFT, a Swiss cybersecurity firm, this malware is a serious threat. "This malware allows attackers to execute remote shell commands and other system operations, giving them full control over an infected machine," they said.

Who is FIN7?

FIN7, which goes by many aliases, including Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug, is a Russian cybercrime group. They are famous for their ever-evolving and expanding collection of malware. They use these tools to break into systems and steal data. Recently, they seem to be moving towards becoming a ransomware affiliate, which means they're getting even more aggressive.

In July 2024, the group was spotted advertising a tool called AuKill (also known as AvNeutralizer) under various online aliases. This tool can shut down security programs, suggesting they're looking for new ways to make money from their attacks.

How Does Anubis Spread?

Experts believe Anubis is spread through malicious spam (malspam) campaigns. These campaigns trick victims into running the malware, which is often hosted on compromised SharePoint sites. Watch out for suspicious emails!

The malware arrives as a ZIP file. Inside, there's a Python script that decrypts and runs the main part of the malware directly in the computer's memory. Once running, the backdoor connects to a remote server using a TCP socket and communicates using Base64 encoding.

The server can then send commands to the infected machine. These commands allow the hackers to:

• Get the host's IP address
• Upload and download files
• Change the current working directory
• Grab environment variables
• Modify the Windows Registry
• Load DLL files into memory using PythonMemoryModule
• Terminate itself

More Analysis of Anubis

GDATA, a German security company, also did their own analysis of Anubis. They said that the backdoor can also run commands provided by the attackers as shell commands on the victim's system.

PRODAFT explains the impact: "This enables attackers to perform actions such as keylogging, taking screenshots, or stealing passwords without directly storing these capabilities on the infected system. By keeping the backdoor as lightweight as possible, they reduce the risk of detection while maintaining flexibility for executing further malicious activities."