Russian APT group FIN7—also known as Carbanak and Savage Ladybug—is using a new Python-based Anubis backdoor to gain full remote control of Windows systems, according to Security Affairs.
FIN7 sends malspam (malware spam) to trick users into downloading malicious ZIP files from compromised SharePoint sites. These files contain Python scripts that decrypt and run the Anubis backdoor, which supports keylogging, file transfers, in-memory DLL loading, and continuous command execution.
Despite only mild obfuscation, the malware remains undetected by most antivirus tools, says PRODAFT, who also notes ongoing refinements in how variants execute the payload. The malware’s core—a 30-line Python script—decrypts and executes an AES-CBC encrypted payload using base64 encoding and the exec function. It communicates with command-and-control servers over a single TCP socket and switches to backup servers if needed. Upon launch, it shares the infected system’s process ID and local IP with the attackers.
The malware is also capable of executing shell commands, modifying the registry, and dynamically loading malicious functionalities, making it highly adaptable and dangerous. FIN7 has been active since 2015, primarily targeting U.S.-based restaurants, gambling, and hospitality sectors to steal financial data for use in attacks or sale on cybercrime markets.
