Researchers have recently unveiled a sophisticated Python-based backdoor known as the Anubis Backdoor, which has been linked to the notorious cybercrime group FIN7. This group, operating since at least 2015, has caused billions of dollars in damages globally, particularly targeting the financial and hospitality sectors.
The discovery of the Anubis Backdoor represents a significant advancement in FIN7’s tactics, as they have now embraced Python to craft a stealthy tool that can seamlessly blend in with legitimate system operations.
The Anubis Backdoor’s infection vector involves a seemingly harmless ZIP archive containing multiple Python files, including a script named “conf.py.” This archive is disseminated through phishing campaigns, showcasing FIN7’s ongoing reliance on social engineering techniques. The conf.py script utilizes a multi-stage attack, employing AES encryption in CBC mode with padding, SHA-256 hashing, and Base64 encoding to obscure its malicious payload.
The script further processes an obfuscated code string by decoding it, decrypting the content, writing it to a temporary file, executing it, and then deleting the file to minimize its footprint on disk. This intricate obfuscation technique highlights the advanced nature of the Anubis Backdoor.
The core functionality of the Anubis Backdoor includes network communication over HTTP ports (80/443), customizable server lists stored in the Windows Registry for persistence, and command execution capabilities through Python’s subprocess module. It also features a streamlined file upload mechanism, enabling attackers to deliver additional tools and malware to compromised systems. The backdoor ensures persistence by storing its C2 configuration in the Windows Registry, encrypted using AES-CBC with a key derived from the agent ID and victim’s computer name, making each infection unique and challenging to decrypt without specific environmental knowledge.
The Anubis Backdoor provides FIN7 with a versatile remote access tool that can operate across various Windows environments. This design showcases FIN7’s evolving capability to create covert communication channels that blend seamlessly with legitimate network traffic. The combination of intricate obfuscation, encryption, and modular command structure gives threat actors significant capabilities, including complete shell access, file exfiltration, and dynamic control of C2 infrastructure. These features, coupled with operational security measures to impede analysis and detection, emphasize the sophistication and adaptability of FIN7’s latest tool.
The discovery of the Anubis Backdoor underscores the continuous threat posed by cybercriminal groups like FIN7 and the need for organizations to remain vigilant and employ robust cybersecurity measures to safeguard their systems and data. As cyber threats continue to evolve, it is imperative for security professionals to stay informed and proactive in defending against malicious actors.