Stealthy Python Backdoor DEEP#DOOR Exploits Tunneling Services to Exfiltrate Credentials

Cybersecurity researchers have uncovered a sophisticated Python-based backdoor, dubbed DEEP#DOOR, that leverages tunneling services to stealthily harvest browser and cloud credentials. This article delves into the attack chain, capabilities, and implications of this emerging threat.

Overview of DEEP#DOOR

DEEP#DOOR is a lightweight yet powerful backdoor framework written in Python. It is designed to establish persistent access to compromised systems while collecting sensitive data, including login credentials from web browsers and cloud service providers. The malware employs a tunneling service to evade detection and maintain command-and-control (C2) communications.

Attack Chain and Initial Compromise

The infection begins with a malicious batch script named install_obf.bat, which is executed on the target machine. This script performs several critical actions to prepare the environment:

• Disables Windows security controls such as Windows Defender and User Account Control (UAC) to avoid detection.
• Dynamically extracts and loads the main Python payload from an encrypted or obfuscated source.
• Establishes persistence by modifying registry run keys or creating scheduled tasks.

Once executed, the script silently deploys the DEEP#DOOR backdoor, which then connects to its C2 infrastructure via a legitimate tunneling service (e.g., ngrok or similar). This approach hides the true destination and encrypts traffic, making network analysis more difficult.

Capabilities and Data Theft

DEEP#DOOR is equipped with a range of modules to harvest sensitive information:

Browser Credential Harvesting

The backdoor targets major web browsers such as Chrome, Edge, and Firefox. It extracts stored passwords, cookies, and autofill data using standard techniques like reading local databases (e.g., Login Data in Chrome) and decrypting them with known methods. These credentials are then exfiltrated to the attacker's server.

Cloud Service Credential Theft

In addition to browser data, DEEP#DOOR specifically seeks credentials for cloud platforms such as AWS, Azure, and Google Cloud. It scans for configuration files, environment variables, and session tokens that are commonly stored on developer machines or servers. This targeting makes it a significant threat to organizations relying on cloud infrastructure.

Keylogging and Screen Capture

Some variants of DEEP#DOOR include keylogging and screen capture capabilities, allowing attackers to monitor user activity and capture additional sensitive information such as two-factor authentication codes or proprietary data.

Tunneling Service for Stealth

A standout feature of DEEP#DOOR is its use of legitimate tunneling services to relay C2 traffic. By routing communications through a public tunneling provider, the backdoor:

1. Bypasses network firewalls that might block direct outbound connections to unknown IPs.
2. Encrypts data using the tunneling service's protocol, adding a layer of obfuscation.
3. Makes traffic appear benign, as it is directed to a popular service domain.

This technique significantly increases the difficulty of detecting and blocking the backdoor through traditional signature-based methods.

Persistence and Defense Evasion

Beyond the initial batch script, DEEP#DOOR ensures long-term access through multiple mechanisms:

• Registry modifications to auto-start the backdoor on system boot.
• Service or scheduled task creation for redundancy.
• Process injection into legitimate Windows processes to evade process-based detection.

The malware also periodically checks for debugging tools or sandbox environments, and can self-destruct if it detects analysis attempts.

Mitigation Strategies

To defend against DEEP#DOOR and similar backdoors, organizations should adopt a layered security approach:

• Enable security controls such as Windows Defender, Application Control (WDAC), and robust Group Policies to prevent unauthorized scripts from running.
• Monitor for unusual PowerShell or batch script executions, especially those that disable security features.
• Restrict use of tunneling services on corporate networks unless explicitly required and monitored.
• Implement credential hygiene – use password managers with strong encryption, enable multi-factor authentication, and regularly rotate cloud service keys.
• Deploy EDR solutions that can detect suspicious process behaviors, such as unauthorized credential access or unexpected outbound tunnels.

Conclusion

DEEP#DOOR represents a growing trend in Python-based malware that combines simplicity with powerful evasion techniques. Its reliance on tunneling services and focus on cloud credentials makes it particularly dangerous for modern enterprises. By understanding its attack chain and implementing recommended defenses, security teams can better protect their systems from this stealthy threat.