U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New advanced FIN7’s Anubis backdoor allows to gain full system control on Windows

FIN7 cybercrime group has been linked to Anubis, a Python-based backdoor that provides remote access to compromised Windows systems. The threat actor FIN7, also known as Savage Ladybug, has developed a new Python-based malware, named Anubis Backdoor, which allows attackers to gain full remote control over infected Windows systems. It executes shell commands and system […]

Anubis backdoor FIN7

FIN7 cybercrime group has been linked to Anubis, a Python-based backdoor that provides remote access to compromised Windows systems.

The threat actor FIN7, also known as Savage Ladybug, has developed a new Python-based malware, named Anubis Backdoor, which allows attackers to gain full remote control over infected Windows systems. It executes shell commands and system operations while using obfuscation to evade detection. Delivered via phishing and hosted on compromised SharePoint sites, it remains undetected by most antivirus solutions, posing a serious security risk.

“The malware is distributed as a ZIP package, which includes a single Python script alongside multiple Python executables. Some variants execute the obfuscated payload immediately after writing it to disk, while others load the payload and call a specific function from it.” reads the report published by cybersecurity firm PRODAFT. “This variability in execution methods demonstrates the malware’s adaptability and the threat actor’s efforts to diversify their delivery mechanisms for different operational scenarios.”

FIN7 is a Russian criminal group (aka Carbanak) that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

The researchers noted that a Python script with ~30 lines serves as the main entry point, decrypting and executing the real payload. The backdoor, targeting Windows, uses AES-CBC encryption with base64 encoding and loads the payload via the exec function. Its obfuscation method, replacing variable names with similar characters, resembles tools like PyObfuscate or Anubis Obfuscator, making analysis harder but not highly complex.

The backdoor communicates via a single TCP socket, switching servers if one fails. Messages, including the groupname, are base64-encoded. Upon execution, it sends the process ID and local IP to the C2 server. To determine the local IP, it creates a UDP socket to 8.8.8.8 on port 80, letting the OS resolve the appropriate address without actual traffic. Each payload contains a groupname and two IPs for communication.

The backdoor supports multiple commands, including retrieving IP, modifying the registry, executing Python code, and loading DLLs into memory. Remote code execution allows the malware to load malicious functionalities dynamically. The malware supports functionalities like keylogging, file transfers, and registry modifications. It continuously processes commands until termination, using subprocess.Popen for shell execution.

Anubis backdoor

“AnubisBackdoor is a stealthy Python-based tool used by Savage Ladybug (FIN7) to maintain access to compromised systems. Despite its mild obfuscation, it remains fully undetected (FUD) by most antivirus solutions. Delivered via malspam campaigns, with compromised SharePoint instances serving the payload, it poses a significant threat to enterprise environments.” concludes the report. “Variants of the backdoor execute the payload differently, suggesting ongoing refinement by attackers.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Anubis backdoor)