Researchers Uncover FIN7’s Stealthy Python-Based Anubis Backdoor

Researchers have recently discovered a sophisticated Python-based backdoor, known as the Anubis Backdoor, deployed by the notorious cybercrime group FIN7.

This advanced threat actor, active since at least 2015, has been responsible for billions of dollars in damages globally, primarily targeting the financial and hospitality sectors.

The Anubis Backdoor represents a significant evolution in FIN7’s tactics, leveraging Python to create a stealthy tool that blends seamlessly with legitimate system operations.

Infection Vector and Obfuscation Techniques

The initial infection vector involves a seemingly innocuous ZIP archive containing multiple Python files, including a script named “conf.py.”

According to G Data Report, this archive is spread via phishing campaigns, highlighting FIN7’s continued reliance on social engineering tactics.

The conf.py script employs a multi-stage attack, utilizing AES encryption in CBC mode with padding, SHA-256 hashing, and Base64 encoding to obfuscate its malicious payload.

The script processes an obfuscated code string by splitting and decoding it, decrypting the content, writing it to a temporary file, executing it, and then deleting the file to minimize its footprint on disk.

Core Functionality and Persistence

The Anubis Backdoor’s core functionality includes network communication over HTTP ports (80/443), customizable server lists stored in the Windows Registry for persistence, and command execution capabilities through Python’s subprocess module.

It features a streamlined file upload mechanism, allowing attackers to deliver additional tools and malware to compromised systems.

The backdoor maintains persistence by storing its C2 configuration in the Windows Registry, encrypted using AES-CBC with a key derived from the agent ID and the victim’s computer name.

This makes each infection unique and difficult to decrypt without specific environmental knowledge.

Security Impact and Evolution

The Anubis Backdoor provides FIN7 with a flexible remote access tool capable of operating across Windows environments.

Its design demonstrates FIN7’s continued evolution in developing covert communication channels that blend with legitimate network traffic.

The combination of multi-layered obfuscation, encryption, and modular command structure gives threat actors significant capabilities, including complete shell access, file exfiltration, and dynamic control of C2 infrastructure.

These features, along with operational security measures to hinder analysis and detection, underscore the sophistication and adaptability of FIN7’s latest tool.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free