Introduction
Cybersecurity analysts have uncovered a sophisticated Python-based backdoor framework, codenamed DEEP#DOOR, designed to maintain persistent access to compromised systems while silently harvesting sensitive credentials. This threat specifically targets browser-stored passwords, cloud service authentication tokens, and other critical data—exfiltrating them through an encrypted tunneling service to evade detection. The attack chain demonstrates advanced evasion techniques, including disabling security controls and using dynamic code extraction.
Infection Chain Breakdown
Initial Vector and Execution
The intrusion begins when a victim executes a malicious batch script named install_obf.bat. This script acts as the initial dropper, performing several key actions:
- Disables Windows Defender and other security mechanisms using built-in command-line tools.
- Downloads and executes a PowerShell payload that fetches the core Python backdoor from a remote server.
- Obfuscates its own code to hinder static analysis by signature-based antivirus engines.
Dynamic Extraction and Persistence
Once the PowerShell script runs, it dynamically extracts a Python-based agent from obfuscated data. This agent establishes persistence by creating scheduled tasks or modifying registry run keys, ensuring it activates on every system reboot. To avoid detection, the backdoor uses process hollowing or code injection techniques, hiding its presence within legitimate Windows processes.
Capabilities of the DEEP#DOOR Backdoor
Credential Theft Modules
DEEP#DOOR is equipped with specialized modules to extract credentials from multiple sources:
- Browser Credentials: Targets stored passwords, cookies, and autofill data from Chrome, Firefox, Edge, and Opera. It decrypts Chrome's SQLite databases using the Windows Data Protection API (DPAPI).
- Cloud Service Tokens: Harvests session tokens and API keys from cloud providers like AWS, Azure, and Google Cloud by scanning local configuration files and environment variables.
- VPN and FTP Clients: Collects saved credentials from common VPN and FTP clients, expanding the attacker's potential lateral movement capabilities.
Data Exfiltration via Tunneling Service
Rather than relying on direct outbound connections that could be flagged, the backdoor leverages a legitimate tunneling service (analogous to ngrok or similar) to create an encrypted tunnel. The stolen data is compressed and split into small chunks, then transmitted through the tunnel to an attacker-controlled endpoint. This technique masks the exfiltration as normal HTTPS traffic, bypassing network-based detection mechanisms.
Command and Control (C2)
DEEP#DOOR uses a beacon-based C2 communication model. It periodically checks in with the tunneling service's randomly generated domain names, receiving encrypted commands. The backdoor supports features such as:
- Remote shell access
- File upload/download
- Keylogging
- Screen capture
- Process manipulation
Indicators of Compromise (IoCs)
File and Network Artifacts
Security teams should monitor for the following indicators:
- Presence of
install_obf.batin temporary directories - Unknown scheduled tasks named after system utilities with random suffixes
- Outbound connections to dynamic DNS domains associated with tunneling services
- Unusual PowerShell execution with encoded commands
- Suspicious Python scripts located in %APPDATA% or %TEMP%
YARA Rule Snippet
Analysts have developed YARA rules to detect the obfuscated batch script pattern:
rule DEEP_DOOR_bat {
strings:
$s1 = "install_obf.bat" nocase
$s2 = "DisableAntiSpyware" nocase
$s3 = "python.exe" nocase
condition:
all of them
}Mitigation and Defense Strategies
Preventive Measures
- Restrict execution of scripts from untrusted sources using AppLocker or Windows Defender Application Control.
- Enable tamper protection for security software to prevent disabling via scripts.
- Implement network segmentation and monitor for unusual tunnel traffic to unknown external services.
Detection and Response
- Deploy endpoint detection and response (EDR) tools capable of identifying process hollowing and code injection.
- Audit scheduled tasks and registry autoruns for anomalous entries.
- Use threat intelligence feeds to block known malicious tunneling domains.
- Conduct regular password hygiene and use multi-factor authentication for cloud services.
Conclusion
The emergence of DEEP#DOOR highlights the evolving sophistication of Python-based backdoors in using legitimate services for exfiltration. By disabling defenses and leveraging tunneling, attackers can remain undetected while stealing valuable credentials. Organizations must adopt a layered defense approach, combining proactive monitoring, strict execution policies, and user education to mitigate such threats.