Anubis
FIN7
FIN7’s Anubis Backdoor hijacks Windows systems via compromised SharePoint sites....
The Russian cybercrime group **FIN7** (aka Savage Ladybug, Carbon Spider) has unleashed **Anubis**, a Python-based backdoor targeting Windows systems via compromised SharePoint instances and phishing campaigns. Designed for stealth and flexibility, Anubis enables remote command execution, file theft, and registry manipulation while evading detection. This Threatfeed dissects its technical architecture, attack lifecycle, and defensive countermeasures, providing a holistic view of one of 2024’s most insidious threats.
### **Anatomy of Anubis**
#### **1. Delivery Mechanisms**
FIN7 employs two primary vectors to deploy Anubis:
- **Malspam Campaigns**: Phishing emails mimic legitimate invoices or corporate communications, urging victims to download ZIP files containing a decoy Python script.
- **Compromised SharePoint Sites**: Malware hosted on trusted SharePoint domains bypasses URL reputation filters, exploiting organizational trust in Microsoft ecosystems.
#### **2. Payload Obfuscation & Execution**
The decoy script (30–50 lines of code) decrypts the primary payload using **AES-CBC encryption** with a unique key embedded in each sample. Example decryption logic:
```python
from Crypto.Cipher import AES
import base64
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted_payload = cipher.decrypt(base64.b64decode(encrypted_data))
exec(decrypted_payload) # In-memory execution to avoid disk writes
```
**Key Evasion Tactics**:
- **Variable Obfuscation**: Uses `L`, `I`, and similar single-letter variables to hinder static analysis.
- **Execution Variants**: Some samples write the decrypted payload to disk (e.g., `%TEMP%`), while others execute it directly in memory.
### **Command & Control (C2) Infrastructure**
Anubis communicates with prioritized C2 servers via **TCP sockets**, failing over to backup IPs if blocked. All traffic is **base64-encoded**, mimicking benign web traffic.
#### **Key C2 Features**
- **Host Fingerprinting**: Upon infection, Anubis sends the host’s IP (detected via UDP socket to `8.8.8.8:80`) and process ID.
- **Modular Design**: Operators dynamically inject scripts for tasks like keylogging, avoiding hardcoded malware features.
### **Anubis’ Arsenal: Full Command Breakdown**
| **Command** | **Function** | **Risk Level** |
|----------------|-----------------------------------------------------------------------------|----------------|
| `killexit` | Terminates the backdoor process. | Low |
| `ip` | Fetches the host’s local and public IP addresses. | Medium |
| `cd` | Changes the working directory (e.g., navigating to sensitive folders). | High |
| `gt` | Exfiltrates files from the host to the C2 server. | Critical |
| `up` | Uploads malicious files (e.g., ransomware) to the host. | Critical |
| `env` | Harvests environment variables (e.g., API keys, credentials). | High |
| `!cf!` | Modifies Windows Registry (e.g., `HKCU\Software\Microsoft\Windows`). | Critical |
| `!tcf!` | Scans TCP ports (default: 80, 443) on specified IPs for lateral movement. | High |
| `!execpy!` | Executes attacker-provided Python code in a new thread (e.g., ransomware). | Critical |
| `!mme` | Injects DLLs into memory using **PythonMemoryModule** (e.g., Cobalt Strike).| Critical |
### **Why Anubis Evades Detection**
1. **Fileless Execution**: No disk artifacts; payloads reside solely in memory.
2. **Legitimate Tool Abuse**: Uses Python (often whitelisted in enterprises) for malicious purposes.
3. **Lightweight Design**: Avoids bulky code; critical features (e.g., screenshot capture) are loaded remotely.
4. **Obfuscation Simplicity**: While rudimentary, variable renaming suffices against signature-based AVs.
### **FIN7’s Strategic Evolution**
#### **From Data Theft to Ransomware**
FIN7 has transitioned from POS malware and credit card theft (e.g., **Carbanak**) to a **ransomware affiliate model**. Recent activities include:
- **AuKill Tool**: Advertised in July 2024 to disable security software (e.g., CrowdStrike, Microsoft Defender).
- **SharePoint Exploits**: Leveraging trusted platforms to bypass email attachment filters.
#### **Enterprise Targeting**
By hijacking SharePoint sites, FIN7 infiltrates networks where traditional perimeter defenses fail. Case studies reveal:
- **Healthcare Sector**: Attackers exfiltrated patient data before deploying ransomware.
- **Financial Institutions**: Stolen credentials used for SWIFT transaction fraud.
### **Mitigation Strategies**
#### **Technical Defenses**
1. **Endpoint Detection & Response (EDR)**:
- Block `exec()` and `PythonMemoryModule` usage.
- Monitor for base64-encoded TCP traffic on non-standard ports.
2. **Network Segmentation**:
- Isolate SharePoint environments from critical assets.
- Restrict outbound traffic to unknown IPs.
3. **Registry Hardening**:
- Audit `HKCU\Software\Microsoft\Windows` for unauthorized changes.
#### **Policy & Training**
- **Phishing Simulations**: Train staff to identify malspam lures (e.g., fake invoices).
- **Zero-Trust Architecture**: Enforce MFA and least-privilege access for SharePoint.
### **Industry Insights**
- **PRODAFT**: “Anubis isn’t just a backdoor—it’s a gateway for FIN7’s ransomware payloads. Its simplicity is its greatest weapon.”
- **GDATA**: “The ability to execute arbitrary Python code makes attribution nearly impossible.”
- **Microsoft Security Team**: “SharePoint compromises highlight the need for continuous configuration audits.”
---
### **Python Malware**
Anubis underscores a growing trend of **offensive Python usage** in cybercrime due to:
- Cross-platform compatibility.
- Ease of integration with legitimate tools (e.g., PowerShell, Cobalt Strike).
- Low detection rates in enterprise environments.
FIN7’s Anubis Backdoor epitomizes the convergence of **stealth, adaptability, and enterprise targeting**. With SharePoint as a launchpad and Python as its engine, organizations must adopt **behavioral analytics** and **proactive threat hunting** to counter this evolving threat.