Attacks with the novel Python-based Anubis backdoor have been deployed by Russian advanced persistent threat operation FIN7, also known as Carbanak and Savage Ladybug, to facilitate the total remote takeover of Windows systems, according to Security Affairs.
FIN7 has launched malspam campaigns to lure targets into downloading a malicious ZIP package from breached SharePoint sites containing a Python script and various Python executables with varying execution techniques, a report from PRODAFT revealed. Infections commence with the Python script that enables the decryption and execution of the Windows-targeted Anubis backdoor, which not only features IP retrieval, registry modification, Python code execution, and in-memory DLL loading capabilities but also keylogging, file transferring, and continuous command processing skills, said PRODAFT researchers. "Despite its mild obfuscation, [Anubis backdoor] remains fully undetected (FUD) by most antivirus solutions... Variants of the backdoor execute the payload differently, suggesting ongoing refinement by attackers," researchers added.
