Analysis Summary

A new Python-based backdoor, AnubisBackdoor, is being used by the threat group Savage Ladybug (FIN7) to execute remote commands on compromised systems while evading most antivirus solutions. This malware is designed to provide persistent access through mild obfuscation techniques, enabling attackers to operate undetected.

AnubisBackdoor allows attackers to execute system commands, steal sensitive data, and spread across an organization’s network. It is primarily distributed through malicious spam emails containing harmful attachments or links. When victims interact with these elements, the malware installs itself, establishes persistence, and connects to the attacker's command and control servers.

Researchers at PRODAFT found that AnubisBackdoor's obfuscation methods are highly effective at bypassing security tools. Despite its simple design, the malware utilizes standard Python libraries to reduce its footprint while maintaining powerful capabilities. It follows a modular approach, allowing attackers to modify payloads based on specific targets.

The malware’s core function is executing system commands via the shell, using Python's subprocess module. This lets attackers control infected machines remotely, making detection and mitigation challenging.

AnubisBackdoor can remain on systems for long periods without triggering security alerts, giving attackers time to steal credentials, monitor user activity, and move laterally across networks. Its Python-based nature also makes it adaptable for Windows, Linux, and macOS, increasing its potential reach.

Impact

• Command Execution
• Credential Theft
• Security Bypass
• Data Theft

Indicators of Compromise

IP

• 8.134.148.20
• 5.252.177.249
• 212.224.107.203
• 195.133.67.35

MD5

• 0a5f3fc92af7aa3e448ac7b84e495fc6

SHA-256

• 03a160127cce3a96bfa602456046cc443816af7179d771e300fec80c5ab9f00f

SHA-1

• 6480ca1b4ef8ee7074be143cc103c655c107b038

Remediation

• Update and patch all systems regularly to reduce vulnerabilities.
• Deploy advanced endpoint protection and behavior-based detection tools.
• Educate employees about phishing attacks and the dangers of opening unknown emails or attachments.
• Implement email filtering to block suspicious attachments and links.
• Monitor network traffic for unusual activity or unauthorized connections.
• Restrict the execution of unverified Python scripts on enterprise systems.
• Use application whitelisting to prevent unauthorized software from running.
• Regularly scan for and remove unknown or unauthorized Python scripts.
• Implement least privilege access to limit the impact of a potential compromise.
• Conduct regular security audits and penetration testing to identify weaknesses.
• Set up multi-factor authentication (MFA) to prevent unauthorized access.
• Isolate infected machines immediately to prevent lateral movement.
• Keep security tools updated with the latest threat intelligence and detection signatures.
• Monitor logs for unusual system commands or processes.
• Maintain secure backups and test recovery procedures to ensure quick restoration in case of an attack.