The article discusses the emergence of a new Python-based backdoor named “AnubisBackdoor” used by the financial cybercrime group FIN7. This sophisticated malware leverages multi-layered obfuscation and encryption techniques to blend in with legitimate activities, complicating detection and forensic analysis. The group has primarily targeted the financial and hospitality sectors. Affected: financial sector, hospitality sector
Keypoints :
- FIN7 has developed a new Python-based backdoor known as AnubisBackdoor.
- The backdoor employs advanced obfuscation and encryption techniques to evade detection.
- The initial infection vector involves distributing ZIP archives via phishing campaigns.
- Conf.py script utilizes AES encryption and dynamic obfuscation methods.
- The backdoor facilitates persistent command-and-control communication via HTTP.
- It features capabilities for file upload, environment reconnaissance, and command execution.
- The malware maintains persistence by storing configurations in the Windows Registry.
- AnubisBackdoor represents an evolution in FIN7’s cyber capabilities since its inception in 2015.
MITRE Techniques :
- T1027: Obfuscated Files or Information – The AnubisBackdoor uses obfuscation and encryption techniques to mask its payload.
- T1047: Windows Management Instrumentation – Utilizes WMI for command executions and persistent mechanisms.
- T1071: Application Layer Protocol – Implements custom C2 communication over standard HTTP ports.
- T1070: Indicator Removal on Host – The malware deletes temporary files after execution to reduce traceability.
- T1135: Network Share Discovery – Reconnaissance capabilities for identifying network shares within the victim’s environment.
Indicator of Compromise :
- [SHA-1] 03a160127cce3a96bfa602456046cc443816af71
- [SHA-256] 5203f2667ab71d154499906d24f27f94e3ebdca4bba7fe55fe490b336bad8919
- [IP Address] 38.134.148.205
- [IP Address] 252.177.249
- [Domain] c2s
Full Story: https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor