Security Intelligence
The financially driven cybercriminal group FIN7 has been identified deploying the Anubis backdoor to gain unauthorized access to Windows systems. The Python-based Anubis backdoor can execute remote shell commands and perform various system operations, effectively granting FIN7 full control over compromised machines.
Anubis is typically disseminated through malicious spam campaigns that lure victims into executing payloads hosted on compromised SharePoint sites. The infection process begins with a ZIP archive containing a Python script designed to decrypt and execute the main obfuscated payload directly in memory. Once activated, the backdoor establishes communication with a remote server over a TCP socket, transmitting data encoded in Base64.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Anubis’s full capabilities include:
- Gathering the host's IP address
- Uploading and downloading files
- Changing the current working directory
- Retrieving environment variables
- Modifying the Windows Registry
- Loading DLL files into memory
Additionally, it can execute operator-provided responses as shell commands on the victim's system, allowing for actions such as keylogging, taking screenshots, or stealing passwords without directly storing these functionalities on the infected system.
To evade detection, Anubis employs obfuscation techniques, such as substituting variable names with visually similar characters, making the code harder to read. By maintaining a lightweight footprint and utilizing in-memory execution, it reduces Anubis’s chances of being detected, while retaining the flexibility to execute further malicious activities.
Source: The Hacker News
Analysis
FIN7 is a highly sophisticated cybercriminal group known for its financially motivated attacks, primarily targeting businesses in sectors such as hospitality, retail, and financial services. Also referred to as Carbon Spider or Sangria Tempest, the group has been active since at least 2015 and is responsible for numerous large-scale intrusions.
Originally, FIN7 specialized in point-of-sale (POS) malware to steal payment card data but has since evolved to use more advanced tools, including ransomware and custom backdoors like Anubis, to maximize financial gain. Despite law enforcement disruptions—including arrests of key members—FIN7 has continued to operate, adapting its tactics and expanding its malware arsenal.
FIN7’s Anubis backdoor highlights the threat actor’s ongoing efforts to develop stealthy and adaptable malware. What makes Anubis particularly dangerous is its delivery method and execution.
It is typically spread through phishing campaigns that leverage compromised SharePoint sites, likely breached via vulnerabilities and leaked credentials. Plus, many companies rely on SharePoint for document sharing and collaboration, so it is less likely that security filters will block links to SharePoint domains.
Furthermore, Anubis operates in memory, which helps to avoid getting detected by traditional antivirus detection that only monitors for files that reside on the disk. It also communicates with a command-and-control server using Base64-encoded transmissions, further obfuscating its activity.
Mitigation
Field Effect’s Security Intelligence team constantly monitor the cyber threat landscape for threats related to backdoors and other malware. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate these threats. Field Effect MDR users are automatically notified when backdoors like Anubis are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect portal.
To mitigate the risks posed by groups like FIN7, Field Effect recommends that organizations implement robust email security measures, train their employees to scrutinize unexpected file downloads, and monitor for network activity for signs of unauthorized remote access.
