Researchers Uncover FIN7’s Stealthy Python-Based Anubis Backdoor

Researchers have recently discovered a sophisticated Python-based backdoor, known as the Anubis Backdoor, deployed by the notorious cybercrime group FIN7.

This advanced threat actor, active since at least 2015, has been responsible for billions of dollars in damages globally, primarily targeting the financial and hospitality sectors.

The Anubis Backdoor represents a significant evolution in FIN7’s tactics, leveraging Python to create a stealthy tool that blends seamlessly with legitimate system operations.

Infection Vector and Obfuscation Techniques

The initial infection vector involves a seemingly innocuous ZIP archive containing multiple Python files, including a script named “conf.py.”

According to G Data Report, this archive is spread via phishing campaigns, highlighting FIN7’s continued reliance on social engineering tactics.

The conf.py script employs a multi-stage attack, utilizing AES encryption in CBC mode with padding, SHA-256 hashing, and Base64 encoding to obfuscate its malicious payload.

The script processes an obfuscated code string by splitting and decoding it, decrypting the content, writing it to a temporary file, executing it, and then deleting the file to minimize its footprint on disk.

Core Functionality and Persistence

The Anubis Backdoor’s core functionality includes network communication over HTTP ports (80/443), customizable server lists stored in the Windows Registry for persistence, and command execution capabilities through Python’s subprocess module.

It features a streamlined file upload mechanism, allowing attackers to deliver additional tools and malware to compromised systems.

The backdoor maintains persistence by storing its C2 configuration in the Windows Registry, encrypted using AES-CBC with a key derived from the agent ID and the victim’s computer name.

This makes each infection unique and difficult to decrypt without specific environmental knowledge.

Security Impact and Evolution

The Anubis Backdoor provides FIN7 with a flexible remote access tool capable of operating across Windows environments.

Its design demonstrates FIN7’s continued evolution in developing covert communication channels that blend with legitimate network traffic.

The combination of multi-layered obfuscation, encryption, and modular command structure gives threat actors significant capabilities, including complete shell access, file exfiltration, and dynamic control of C2 infrastructure.

These features, along with operational security measures to hinder analysis and detection, underscore the sophistication and adaptability of FIN7’s latest tool.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!