do son 
Threat intelligence company PRODAFT uncovers a new Python-based backdoor named AnubisBackdoor, wielded by the infamous FIN7 group, also known as Savage Ladybug. This malware is designed to provide attackers with full control over infected machines, employing evasion techniques to bypass traditional security measures.
PRODAFT’s analysis reveals that AnubisBackdoor allows attackers to execute remote shell commands and various system operations. “This malware provides attackers with full control over an infected machine, enabling remote shell execution and various system operations,” the report confirms.
A key characteristic of AnubisBackdoor is its ability to evade detection. The report states, “AnubisBackdoor is designed to evade detection, and as of this report, it remains fully undetected (FUD) by most antivirus solutions.” This is achieved through obfuscation, although PRODAFT notes that the obfuscation is “not particularly strong” yet “effective enough to bypass many security tools.”
The malware is delivered through malspam campaigns, tricking victims into executing malicious payloads. Additionally, attackers are leveraging compromised SharePoint instances to host and serve the malware, making detection more challenging in enterprise environments.
The malware is distributed as a ZIP package containing a Python script and multiple Python executables. PRODAFT observed variations in execution methods, with some variants executing the obfuscated payload directly after writing it to disk, while others load the payload and call a specific function. “This variability in execution methods demonstrates the malware’s adaptability and the threat actor’s efforts to diversify their delivery mechanisms for different operational scenarios,” the report indicates.
The main entry point is a Python script of approximately 30 lines, whose primary purpose is to decrypt and execute the real payload. PRODAFT’s analysis uncovered two different execution methods: directly calling the loaded function and writing the obfuscated payload to a file on disk before calling it. The backdoor specifically targets Windows hosts.
The report delves into the obfuscation techniques employed, noting that they primarily involve substituting variable names with characters like “L” and “I,” making the code harder to read. “The technique closely resembles obfuscation patterns seen in publicly available tools like PyObfuscate or most likely Anubis Obfuscator,” suggesting the attackers are using readily available tools.
AnubisBackdoor communicates through a single TCP socket, utilizing a failover sequence of servers. All messages, including the group name at the start, are base64-encoded before transmission, and responses from the server are also base64-encoded. Upon execution, the backdoor sends the process ID and IP address of the infected host to the command and control (C2) server. The malware uses a clever technique to retrieve the local IP address of the infected machine by creating a UDP socket and attempting to connect to an external IP address, allowing the OS kernel to determine the appropriate local IP address.
The backdoor operates based on commands received from the C2 server, executing a predefined set of instructions. It also supports remote code execution, enabling threat actors to dynamically load malicious functionalities. “By keeping the backdoor as lightweight as possible, they reduce the risk of detection while maintaining flexibility for executing further malicious activities,” the report explains. The main execution loop processes incoming commands until a termination instruction is received. If a command does not match any predefined functions, the malware executes the command via subprocess. Popen, granting the attacker full control through shell command execution.
“AnubisBackdoor is a stealthy Python-based tool used by Savage Ladybug (FIN7) to maintain access to compromised systems,” the report concludes. Despite its simple obfuscation, it currently evades most antivirus solutions and is delivered through malspam and compromised SharePoint instances, posing a significant threat. The variations in payload execution suggest ongoing development and refinement by the attackers.
