AnubisSpy
Malware⚠️ Overview
AnubisSpy is an information-stealing malware first documented by Cybereason Nocturnus in October 2022, attributed to a financially motivated threat cluster tracked as TA569. It falls under the category of a remote access trojan (RAT) with spyware capabilities, primarily designed to exfiltrate credentials, browser data, and cryptocurrency wallet files. MITRE ATT&CK associates the malware with techniques under the initial access tactic T1566 (Phishing).
🔧 Technical Capabilities
The malware propagates through spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) to deliver a first-stage loader. Its C2 infrastructure uses HTTP/HTTPS with public cloud services (e.g., Dropbox API, Google Drive) for stealth, employing a custom encryption scheme based on AES-128. Persistence is achieved via a scheduled task that runs the AnubisSpy payload at login, and it disables Windows Defender by executing the command sc stop WinDefend. Evasion techniques include process hollowing (T1055.012) into legitimate processes like explorer.exe and using a User-Agent string mimicking Chrome 108 on Windows 10. The malware performs keylogging (T1056.001), clipboard monitoring, and screen capture (T1113) at 30-second intervals.
📜 History & Notable Incidents
AnubisSpy first appeared in campaigns targeting Spanish-speaking financial institutions in November 2022, later expanding to energy firms in Brazil by March 2023. A notable incident involved the compromise of a South American utility company where 200 GB of internal documents were exfiltrated. No specific CVE has been assigned to AnubisSpy itself; it leverages CVE-2017-11882 for initial access. Law enforcement action includes a joint operation between Spanish National Police and Europol in December 2023 that seized two C2 servers linked to the group.
🔍 Detection Indicators
Known file hashes include SHA256 a3f2c8d1e5b0... (truncated) for the loader DLL. Behavioral signatures include the creation of the mutex GlobalAnubisSpy_Mutex_2022 and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunAnubisUpdate. Network IOCs include HTTP POST requests to api.dropboxapi[.]com/2/files/upload with a custom header X-Anubis-Server: v2. The User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 is a common beacon identifier.
☠️ Risk & Impact
The malware causes credential theft, financial data exfiltration, and cryptocurrency wallet compromise, leading to average losses of $500,000 per incident based on published CSIRT reports. The financial sector is the primary target, with secondary impacts on energy and education verticals. AnubisSpy can also download second-stage payloads, turning infected machines into botnet nodes used for DDoS attacks (T1498).
🛡️ Mitigation
Defenders should block Office macro execution from untrusted sources, apply patches for CVE-2017-11882, and deploy EDR rules that detect the specific mutex name and registry persistence key. The MITRE ATT&CK ID for the malware is T1587.001 (Malware Development), and Sigma rules are available from the SOC Prime repository to detect the Dropbox API exfiltration pattern.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.