Cybersecurity experts have identified a sophisticated new backdoor tool developed by the notorious financial cybercrime group FIN7.
The Python-based malware, dubbed “Anubis Backdoor,” represents an evolution in the group’s tactics, techniques, and procedures (TTPs) that have historically caused billions in damages globally.
G Data researchers identified that initial infection occurs through a seemingly innocent ZIP archive containing multiple Python files, distributed via targeted phishing campaigns.
.png
)
The key component, a script named “conf.py,” had remarkably low detection rates when first submitted to VirusTotal, demonstrating the effectiveness of the group’s obfuscation techniques.
.webp)
The analysis revealed a multi-layered attack combining legitimate programming techniques with advanced obfuscation to mask malicious intent.
FIN7’s implementation demonstrates their continued evolution from earlier campaigns, using Python to create a backdoor that blends with normal system operations.
According to security researchers, what makes Anubis Backdoor particularly concerning is its minimal footprint and sophisticated anti-forensic capabilities.
The malware uses a combination of encryption, obfuscation, and temporary file execution that makes detection and analysis significantly more challenging.
Analysis of Anubis Backdoor
At the core of Anubis Backdoor’s functionality is a clever decryption mechanism.
The malware employs a custom “load” function that splits obfuscated strings, extracts encryption keys, and executes decrypted code while leaving minimal traces:-
def load(obfcode):
listed = obfcode.split("_pKo_JX_" * 5)
del listed[0]; del listed[-1]
key = listed[0].encode()
del listed[0]
anubis = WD(key)
src = "|
for i in listed:
src += anubis.decrypt(i) + "\n"
tmp = tempfile.NamedTemporaryFile(delete=False)
tmp.write(src.encode())
p = subprocess.Popen([sys.executable, tmp.name])
tmp.close()
p.wait()
os.unlink(tmp.name)The malware maintains persistence through Windows Registry, storing its command and control (C2) configuration under “HKEY_CURRENT_USER\Software\FormidableHandlers” or similar randomized key names.
Communication with C2 servers happens over HTTP ports (80/443), with traffic obfuscation using Base64 encoding and custom alphabet substitution.
Static configuration within the code revealed default C2 servers at 38.134.148.20 and 5.252.177.249, along with a hardcoded agent identifier:
AGENT_ID = 'A19N'
DEFAULT_C2_SERVERS = ['38.134.148.20','5.252.177.249']
DEFAULT_C2_PORTS = [80, 443]The backdoor’s command set enables complete system control, including file operations, environment reconnaissance, and dynamic C2 updates.
This sophisticated toolset provides FIN7 with flexible remote access capabilities that blend with legitimate network traffic, making it a formidable threat to organizations worldwide.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
