{"id":1607022,"date":"2025-04-02T06:46:40","date_gmt":"2025-04-02T08:46:40","guid":{"rendered":"https:\/\/teknomers.com\/fr\/fin7-deploie-les-systemes-de-porte-derobee-anubis-pour-detourner-les-systemes-windows-via-des-sites-sharepoint-compromis\/"},"modified":"2025-04-02T06:46:44","modified_gmt":"2025-04-02T08:46:44","slug":"fin7-deploie-les-systemes-de-porte-derobee-anubis-pour-detourner-les-systemes-windows-via-des-sites-sharepoint-compromis","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/fin7-deploie-les-systemes-de-porte-derobee-anubis-pour-detourner-les-systemes-windows-via-des-sites-sharepoint-compromis\/","title":{"rendered":"FIN7 d\u00e9ploie les syst\u00e8mes de porte d\u00e9rob\u00e9e Anubis pour d\u00e9tourner les syst\u00e8mes Windows via des sites SharePoint compromis"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">02 avril 2025<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><\/span><span class=\"p-tags\">Ransomware \/ S\u00e9curit\u00e9 des e-mails<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/04\/FIN7-deploie-les-systemes-de-porte-derobee-Anubis-pour-detourner.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>L&#8217;acteur de menace financi\u00e8rement motiv\u00e9 connu sous le nom de FIN7 a \u00e9t\u00e9 li\u00e9 \u00e0 une porte d\u00e9rob\u00e9e bas\u00e9e \u00e0 Python appel\u00e9e Anubis (\u00e0 ne pas confondre avec un chevalier bancaire Android du m\u00eame nom) qui peut leur accorder un acc\u00e8s \u00e0 distance \u00e0 des syst\u00e8mes Windows compromis.<\/p>\n<p>&#8220;Ce logiciel malveillant permet aux attaquants d&#8217;ex\u00e9cuter des commandes de shell distant et d&#8217;autres op\u00e9rations syst\u00e8me, ce qui leur donne un contr\u00f4le total sur une machine infect\u00e9e&#8221;, a d\u00e9clar\u00e9 la soci\u00e9t\u00e9 de cybers\u00e9curit\u00e9 suisse <a rel=\"noopener nofollow\" href=\"https:\/\/catalyst.prodaft.com\/public\/report\/anubis-backdoor\/overview\" target=\"_blank\">dit<\/a> Dans un rapport technique du malware.<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener sponsored\" href=\"https:\/\/thehackernews.uk\/drata-1\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybers\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/04\/Lucid-PhaaS-atteint-169-cibles-dans-88-pays-utilisant-iMessage.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Fin7, \u00e9galement appel\u00e9 Carbon Spider, Elbrus, Gold Niagara, Sangria Tempest et Savage Ladybug, est un groupe de cybercriminalit\u00e9 russe connu pour son <a rel=\"noopener nofollow\" href=\"https:\/\/www.secureworks.com\/research\/threat-profiles\/gold-niagara\" target=\"_blank\">en constante \u00e9volution<\/a> et <a rel=\"noopener nofollow\" href=\"https:\/\/www.kroll.com\/en\/insights\/publications\/cyber\/carbanak-anunak-distributed-via-idatloader-hijackloader\" target=\"_blank\">expansion<\/a> Ensemble de familles de logiciels malveillants pour obtenir l&#8217;acc\u00e8s initial et l&#8217;exfiltration des donn\u00e9es. Ces derni\u00e8res ann\u00e9es, l&#8217;acteur de menace aurait pass\u00e9 \u00e0 un affili\u00e9 des ransomwares.<\/p>\n<p>En juillet 2024, le groupe a \u00e9t\u00e9 observ\u00e9 \u00e0 l&#8217;aide de divers alias en ligne pour annoncer un outil appel\u00e9 Aukill (aka avneutralizer) capable de mettre fin aux outils de s\u00e9curit\u00e9 dans une tentative probable de diversifier sa strat\u00e9gie de mon\u00e9tisation.<\/p>\n<p>Anubis serait propag\u00e9 via des campagnes de Malspam qui incitent g\u00e9n\u00e9ralement les victimes \u00e0 ex\u00e9cuter la charge utile h\u00e9berg\u00e9e sur des sites SharePoint compromis.<\/p>\n<p>Livr\u00e9 sous la forme d&#8217;une archive zip, le point d&#8217;entr\u00e9e de l&#8217;infection est un script Python con\u00e7u pour d\u00e9crypter et ex\u00e9cuter la charge utile obscurci principale directement en m\u00e9moire. Une fois lanc\u00e9, la porte d\u00e9rob\u00e9e \u00e9tablit des communications avec un serveur distant via une prise TCP au format cod\u00e9 Base64.<\/p>\n<p>Les r\u00e9ponses du serveur, \u00e9galement cod\u00e9es en base64, lui permettent de rassembler l&#8217;adresse IP de l&#8217;h\u00f4te, de t\u00e9l\u00e9charger \/ t\u00e9l\u00e9charger des fichiers, de modifier le r\u00e9pertoire de travail actuel, de saisir des variables d&#8217;environnement, d&#8217;alt\u00e9rer le registre Windows, de charger les fichiers DLL en m\u00e9moire \u00e0 l&#8217;aide de PythonMemoryModule et de se terminer.<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener sponsored\" href=\"https:\/\/thehackernews.uk\/zscaler-inside-d\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybers\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/04\/1743491377_264_Apple-a-condamne-une-amende-a-150-millions-deuros-par.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Dans une analyse ind\u00e9pendante d&#8217;Anubis, la soci\u00e9t\u00e9 de s\u00e9curit\u00e9 allemande GDATA <a rel=\"noopener nofollow\" href=\"https:\/\/www.gdatasoftware.com\/blog\/2025\/03\/38161-analysis-fin7-anubis-backdoor\" target=\"_blank\">dit<\/a> La porte d\u00e9rob\u00e9e prend \u00e9galement en charge la possibilit\u00e9 d&#8217;ex\u00e9cuter des r\u00e9ponses fournies par l&#8217;op\u00e9rateur en tant que commande shell sur le syst\u00e8me victime.<\/p>\n<p>&#8220;Cela permet aux attaquants d&#8217;effectuer des actions telles que le keylogging, la prise de captures d&#8217;\u00e9cran ou le vol de mots de passe sans stocker directement ces capacit\u00e9s sur le syst\u00e8me infect\u00e9&#8221;, a d\u00e9clar\u00e9 Prodaft. &#8220;En gardant la porte d\u00e9rob\u00e9e aussi l\u00e9g\u00e8re que possible, ils r\u00e9duisent le risque de d\u00e9tection tout en maintenant la flexibilit\u00e9 pour ex\u00e9cuter d&#8217;autres activit\u00e9s malveillantes.&#8221;<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant? Suivez-nous <a rel=\"noopener nofollow\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Gazouillement <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"noopener nofollow\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">Liendin<\/a> Pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2025\/04\/fin7-deploys-anubis-backdoor-to-hijack.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80202 avril 2025\ue804Ravie LakshmananRansomware \/ S\u00e9curit\u00e9 des e-mails L&#8217;acteur de menace financi\u00e8rement motiv\u00e9 connu sous le nom de FIN7 a \u00e9t\u00e9 li\u00e9 \u00e0 une porte d\u00e9rob\u00e9e bas\u00e9e \u00e0 Python appel\u00e9e Anubis (\u00e0 ne pas confondre avec un chevalier bancaire Android du m\u00eame nom) qui peut leur accorder un acc\u00e8s \u00e0 distance \u00e0 des syst\u00e8mes Windows [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1607023,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[274266,274265,292501,4168,20350,79002,274264,4161,274263,6124,7050,7084,133,31219,43570,65,274267,4160,2742,185,238617,246491,4172,224068,2783,5046,79016,4166,4164,45020],"class_list":["post-1607022","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-de-piratage","tag-actualites-des-pirates","tag-anubis","tag-comment-pirater","tag-compromis","tag-cyber-security-news","tag-cyber-security-news-aujourdhui","tag-cyber-mises-a-jour","tag-cyber-nouvelles","tag-cyberattaques","tag-deploie","tag-derobee","tag-des","tag-detourner","tag-fin7","tag-les","tag-malware-ransomware","tag-mises-a-jour-de-la-cybersecurite","tag-porte","tag-pour","tag-securite-de-linformation","tag-securite-du-reseau","tag-securite-informatique","tag-sharepoint","tag-sites","tag-systemes","tag-the-hacker-news","tag-violation-de-donnees","tag-vulnerabilite-logicielle","tag-windows"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1607022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=1607022"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1607022\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/1607023"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=1607022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=1607022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=1607022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}