New Python Backdoor DEEP#DOOR Uses Tunneling Service to Steal Browser and Cloud Credentials
#Cybersecurity

New Python Backdoor DEEP#DOOR Uses Tunneling Service to Steal Browser and Cloud Credentials

Security Reporter
4 min read

Researchers uncover stealthy Python-based backdoor that establishes persistent access and harvests sensitive data through a Rust-based tunneling service.

Cybersecurity researchers have disclosed details of a sophisticated Python-based backdoor framework called DEEP#DOOR that establishes persistent access on compromised systems while harvesting a wide range of sensitive information. The malware represents an evolution in fileless attack techniques that prioritize stealth and evasion.

Featured image

"The intrusion chain begins with execution of a batch script ('install_obf.bat') that disables Windows security controls, dynamically extracts an embedded Python payload ('svc.py'), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions," said Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee in their report.

Attack Chain Analysis

The attack begins when a user executes a phishing-delivered batch script. This script performs several malicious actions:

  1. Disables Windows security controls
  2. Dynamically extracts an embedded Python payload
  3. Establishes multiple persistence mechanisms
  4. Connects to a command-and-control server

What makes this attack noteworthy is that the core Python implant is embedded directly inside the dropper script. This approach reduces external dependencies and minimizes forensic footprints, making detection more challenging for traditional security solutions.

"Based on our current analysis, there is no clear evidence to suggest that this malware framework was widely used in large-scale or highly active campaigns," Gaikwad, senior security research engineer at Securonix, explained. "Its observed usage appears to be limited and somewhat targeted rather than broadly distributed."

Sophisticated Capabilities

Once deployed, DEEP#DOOR establishes communication with "bore[.]pub," a Rust-based tunneling service. This approach offers several advantages for threat actors:

  • Eliminates the need for dedicated infrastructure
  • Blends malicious traffic with legitimate traffic
  • Avoids embedding server details in the payload

The backdoor's capabilities include extensive surveillance functions:

  • Reverse shell access
  • System reconnaissance
  • Keylogging
  • Clipboard monitoring
  • Screenshot capture
  • Webcam access
  • Ambient audio recording
  • Web browser credential harvesting (Chrome, Firefox)
  • SSH key extraction
  • Credentials from Windows Credential Manager
  • Cloud credential theft (AWS, Google Cloud, Microsoft Azure)

Evasion Techniques

DEEP#DOOR incorporates numerous anti-analysis and defense evasion mechanisms:

  • Sandbox, debugger, and VM detection
  • AMSI and Event Tracing for Windows (ETW) patching
  • NTDLL unhooking
  • Microsoft Defender tampering
  • SmartScreen bypass
  • PowerShell logging suppression
  • Command-line wiping
  • Timestamp stomping
  • Log clearing

"The resulting implant operates as a fully featured Remote Access Trojan (RAT) capable of long-term persistence, espionage, lateral movement, and post-exploitation within compromised environments," Securonix researchers noted. "The implant prioritizes evading detection and forensic visibility by directly tampering with Windows security and telemetry mechanisms."

Persistence Mechanisms

The backdoor employs multiple persistence mechanisms to ensure it remains active even after system reboots:

  1. Windows Startup folder scripts
  2. Registry Run keys
  3. Scheduled tasks
  4. WMI subscriptions

It also includes a watchdog mechanism that automatically recreates persistence artifacts if they're removed, making remediation particularly challenging for security teams.

Expert Assessment

"DEEP#DOOR highlights the continued evolution of threat actors toward fileless, script-driven intrusion frameworks that rely heavily on native system components and interpreted languages like Python," the researchers explained. "By embedding the payload directly within the dropper and extracting it at runtime, the malware significantly reduces external dependencies and limits traditional detection opportunities."

While the current assessment suggests limited usage, researchers note that the modular nature of the framework could lead to wider adoption by various threat actors in the future.

Defensive Recommendations

Organizations should consider the following defensive measures:

  1. Implement application control to prevent execution of suspicious scripts
  2. Monitor for unusual process behavior and parent-child relationships
  3. Audit scheduled tasks and startup locations for unauthorized entries
  4. Deploy endpoint detection and response solutions capable of detecting fileless attacks
  5. Regularly audit browser and credential manager data for unauthorized access
  6. Implement multi-factor authentication for cloud services
  7. Monitor network traffic for unusual connections to tunneling services

"At this stage, we have not identified consistent indicators pointing to specific geographies or industry sectors being systematically targeted," Gaikwad added. "However, given the modular nature of the framework, it is possible that different threat actors could adapt it for varied use cases over time."

The discovery of DEEP#DOOR underscores the ongoing cat-and-mouse game between security researchers and threat actors, with the latter continuously developing more sophisticated evasion techniques to bypass defensive measures.

#Python#Rust#Cloud#Security#Vulnerabilities

Comments

Loading comments...
Back to Home