FIN7's Advanced Anubis Backdoor: Full System Control on Windows
Discover how the FIN7 cybercrime group uses the Anubis backdoor to gain full system control on Windows. Learn about its features, delivery methods, and the significance of this threat.
TL;DR
The FIN7 cybercrime group has developed a sophisticated Python-based backdoor called Anubis, which allows attackers to gain full remote control over compromised Windows systems. This malware, distributed via phishing and hosted on compromised SharePoint sites, uses obfuscation techniques to evade detection and poses a significant security risk.
Introduction
The FIN7 cybercrime group, also known as Savage Ladybug, has developed a new Python-based malware called the Anubis Backdoor. This sophisticated tool enables attackers to gain full remote control over infected Windows systems, execute shell commands, and perform system operations while remaining undetected by most antivirus solutions.
Delivery and Execution
The Anubis Backdoor is distributed as a ZIP package containing a Python script and multiple Python executables. Some variants execute the obfuscated payload immediately after writing it to disk, while others load the payload and call a specific function from it. This variability in execution methods demonstrates the malware’s adaptability and the threat actor’s efforts to diversify their delivery mechanisms for different operational scenarios1.
Obfuscation and Encryption
The backdoor uses a Python script with approximately 30 lines as the main entry point, which decrypts and executes the real payload. It employs AES-CBC encryption with base64 encoding and loads the payload via the exec
function. The obfuscation method involves replacing variable names with similar characters, making analysis harder but not overly complex2.
Communication and Command Execution
The Anubis Backdoor communicates via a single TCP socket and switches servers if one fails. Messages, including the groupname, are base64-encoded. Upon execution, it sends the process ID and local IP to the C2 server. To determine the local IP, it creates a UDP socket to 8.8.8.8 on port 80, letting the OS resolve the appropriate address without actual traffic. Each payload contains a groupname and two IPs for communication3.
Functionalities
The backdoor supports multiple commands, including:
- Retrieving IP
- Modifying the registry
- Executing Python code
- Loading DLLs into memory
Remote code execution allows the malware to load malicious functionalities dynamically. It supports keylogging, file transfers, and registry modifications, continuously processing commands until termination using subprocess.Popen
for shell execution4.
Threat Assessment
AnubisBackdoor is a stealthy Python-based tool used by FIN7 to maintain access to compromised systems. Despite its mild obfuscation, it remains fully undetected (FUD) by most antivirus solutions. Delivered via malspam campaigns, with compromised SharePoint instances serving the payload, it poses a significant threat to enterprise environments. Variants of the backdoor execute the payload differently, suggesting ongoing refinement by attackers5.
Conclusion
The Anubis Backdoor represents a significant advancement in the capabilities of the FIN7 cybercrime group. Its ability to evade detection and gain full system control makes it a potent threat to Windows systems. Organizations must remain vigilant and implement robust security measures to protect against such sophisticated attacks.
Additional Resources
For further insights, check:
References
-
PRODAFT (2025). “Anubis Backdoor Overview”. Catalyst PRODAFT. Retrieved 2025-04-02. ↩︎
-
Security Affairs (2025). “New Advanced FIN7’s Anubis Backdoor Allows to Gain Full System Control on Windows”. Security Affairs. Retrieved 2025-04-02. ↩︎
-
PRODAFT (2025). “Anubis Backdoor Overview”. Catalyst PRODAFT. Retrieved 2025-04-02. ↩︎
-
Security Affairs (2025). “New Advanced FIN7’s Anubis Backdoor Allows to Gain Full System Control on Windows”. Security Affairs. Retrieved 2025-04-02. ↩︎
-
PRODAFT (2025). “Anubis Backdoor Overview”. Catalyst PRODAFT. Retrieved 2025-04-02. ↩︎