Full Report
The financially motivated threat actor known as FIN7 has been linked to a Python-based backdoor called Anubis (not to be confused with an Android banking trojan of the same name) that can grant them remote access to compromised Windows systems. "This malware allows attackers to execute remote shell commands and other system operations, giving them full control over an infected machine," Swiss
Analysis Summary
# Threat Actor: FIN7
## Attribution & Identity
**Identification:** Financially motivated threat actor, described as a Russian cybercrime group.
**Known Aliases and Associated Groups:** Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, Savage Ladybug.
## Activity Summary
FIN7 is actively deploying a new Python-based backdoor named **Anubis** (distinct from the Android banking trojan). This activity is associated with campaigns designed to gain remote access to compromised Windows systems. In July 2024, the group was also observed advertising a tool called **AuKill (aka AvNeutralizer)**, suggesting an attempt to diversify monetization strategies. The Anubis backdoor is currently spread via malspam campaigns that leverage compromised **SharePoint sites** to entice victims into execution.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Propagation via malspam campaigns using ZIP archives delivered from compromised SharePoint sites.
- **Execution:** Victim executes a Python script which decrypts and executes the main obfuscated payload directly in memory.
- **Command and Control (C2):** Establishes communication with a remote server over a TCP socket using Base64-encoded formats for both sending and receiving data.
- **Defense Evasion:** Keeping the backdoor lightweight reduces the risk of detection while maintaining flexibility.
- **Execution (Remote):** Can execute operator-provided responses as a shell command.
- **Collection:** Ability to gather host IP, upload/download files, change current working directory, grab environment variables, and alter Windows Registry. Can perform keylogging, take screenshots, or steal passwords via remote shell commands if instructed by the operator.
- **T1547.001 (Implied via Registry modification/Persistence setup):** Altering Windows Registry.
- **T1059 (Implied via Shell execution):** Execution of operator commands via shell commands.
- **T1027 (Implied via payload execution):** Decrypting and executing payload directly in memory.
## Targeting
- **Sectors:** Not explicitly detailed, but the financial motivation and historical profile suggest sectors prone to financial impact.
- **Geography:** Windows systems globally are implied targets given the malware delivery mechanism.
- **Victims:** Not specifically named in the summary, but the infection vector targets users who interact with compromised SharePoint sites.
## Tools & Infrastructure
- **Malware Families Used:** Anubis (Python-based backdoor), AuKill (AvNeutralizer - tool for terminating security tools).
- **Infrastructure (C2, domains, IPs):** Communication is established with a **remote server** via TCP socket, though specific C2 addresses/domains are omitted from the summary text.
## Implications
FIN7 continues to demonstrate an ability to evolve its toolset (transitioning from traditional theft to ransomware affiliation and tool diversification). The deployment of Anubis, a memory-resident backdoor capable of highly flexible remote command execution, suggests a high capability in maintaining persistent, low-detection access post-exploitation.
## Mitigations
- Implement robust email and spam filtering to defend against initial malspam delivery.
- Exercise caution regarding attachments and scripts delivered via communication channels, especially those originating from SharePoint sites.
- Employ endpoint detection and response (EDR) solutions capable of monitoring for in-memory script execution (Python).
- Monitor for abnormal outbound TCP socket communications over less-common ports, particularly if using custom encoding like Base64.
- Implement strict controls on registry modification and DLL loading if not sanctioned by IT policies.