FIN7’s Anubis Backdoor hijacks Windows systems via compromised SharePoint sites. Learn how this Python-based threat operates and how to defend your enterprise.

Continue reading
The Russian cybercrime group FIN7 (aka Savage Ladybug, Carbon Spider) has unleashed Anubis, a Python-based backdoor targeting Windows systems via compromised SharePoint instances and phishing campaigns. Designed for stealth and flexibility, Anubis enables remote command execution, file theft, and registry manipulation while evading detection. This Threatfeed dissects its technical architecture, attack lifecycle, and defensive countermeasures, providing a holistic view of one of 2024’s most insidious threats.
FIN7 employs two primary vectors to deploy Anubis:
The decoy script (30–50 lines of code) decrypts the primary payload using AES-CBC encryption with a unique key embedded in each sample. Example decryption logic: ```python from Crypto.Cipher import AES import base64
cipher = AES.new(key, AES.MODE_CBC, iv) decrypted_payload = cipher.decrypt(base64.b64decode(encrypted_data)) exec(decrypted_payload) # In-memory execution to avoid disk writes ``` Key Evasion Tactics:
Anubis communicates with prioritized C2 servers via TCP sockets, failing over to backup IPs if blocked. All traffic is base64-encoded, mimicking benign web traffic.
| Command | Function | Risk Level |
|---|---|---|
| `killexit` | Terminates the backdoor process. | Low |
| `ip` | Fetches the host’s local and public IP addresses. | Medium |
| `cd` | Changes the working directory (e.g., navigating to sensitive folders). | High |
| `gt` | Exfiltrates files from the host to the C2 server. | Critical |
| `up` | Uploads malicious files (e.g., ransomware) to the host. | Critical |
FIN7 has transitioned from POS malware and credit card theft (e.g., Carbanak) to a ransomware affiliate model. Recent activities include:
By hijacking SharePoint sites, FIN7 infiltrates networks where traditional perimeter defenses fail. Case studies reveal:
Anubis underscores a growing trend of offensive Python usage in cybercrime due to:
FIN7’s Anubis Backdoor epitomizes the convergence of stealth, adaptability, and enterprise targeting. With SharePoint as a launchpad and Python as its engine, organizations must adopt behavioral analytics and proactive threat hunting to counter this evolving threat.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.
| `env` |
| Harvests environment variables (e.g., API keys, credentials). |
| High |
| `!cf!` | Modifies Windows Registry (e.g., `HKCU\Software\Microsoft\Windows`). | Critical |
| `!tcf!` | Scans TCP ports (default: 80, 443) on specified IPs for lateral movement. | High |
| `!execpy!` | Executes attacker-provided Python code in a new thread (e.g., ransomware). | Critical |
| `!mme` | Injects DLLs into memory using PythonMemoryModule (e.g., Cobalt Strike). | Critical |