Cybersecurity experts have uncovered a sophisticated Python-based backdoor framework named DEEP#DOOR, capable of establishing enduring access to compromised systems and extracting a broad spectrum of sensitive data. This was revealed by researchers at Securonix, highlighting the backdoor’s potential to covertly infiltrate and collect information from affected hosts.
Intrusion Methodology and Attack Chain
The intrusion process initiates with the execution of a batch script (‘install_obf.bat’) that disables security settings on Windows devices. It then dynamically extracts a hidden Python payload (‘svc.py’) and ensures continued access through various methods, including scripts in the Startup folder, registry Run keys, scheduled tasks, and optional WMI subscriptions.
Dissemination of this batch script likely occurs through conventional phishing tactics. The full extent of the malware’s spread and its effectiveness remains unknown, as researchers continue to assess its reach and impact.
Unique Attack Characteristics
A distinctive aspect of this attack is the integration of the core Python implant within the dropper script itself. This approach minimizes the need for external infrastructure communication, thereby reducing its forensic traceability. Once activated, the malware communicates with ‘bore[.]pub’, a Rust-based tunneling service. This connection allows attackers to execute remote commands and conduct comprehensive surveillance operations.
These operations include reverse shell access, system reconnaissance, keylogging, clipboard monitoring, screenshot and webcam capture, ambient audio recording, and harvesting of web browser and cloud credentials from platforms such as Amazon Web Services, Google Cloud, and Microsoft Azure.
Advanced Evasion Techniques
DEEP#DOOR employs advanced anti-analysis and evasion techniques to avoid detection. These include sandbox, debugger, and virtual machine detection, AMSI and ETW patching, NTDLL unhooking, tampering with Microsoft Defender, bypassing SmartScreen, suppressing PowerShell logs, erasing command-line history, and clearing timestamps and logs.
The malware also uses multiple methods to maintain persistence, including creating scripts in Windows Startup folders, registry Run keys, and scheduled tasks. It features a watchdog mechanism to automatically recreate persistence artifacts if they are removed, complicating remediation efforts.
Operating as a full-fledged Remote Access Trojan (RAT), DEEP#DOOR can maintain long-term access, conduct espionage, enable lateral movement, and carry out post-exploitation activities within compromised environments. Its design focuses on evading detection by manipulating Windows security and telemetry features.
Implications and Future Outlook
The emergence of DEEP#DOOR underscores the ongoing evolution of threat actors towards using fileless, script-driven intrusion frameworks that heavily leverage native system components and interpreted languages such as Python. By embedding payloads within droppers and activating them at runtime, the malware reduces reliance on external resources, effectively limiting traditional detection chances.
This development highlights the necessity for robust cybersecurity measures and continuous monitoring to counteract such sophisticated threats. Organizations are encouraged to strengthen their defense mechanisms and stay informed about evolving cyber threats to safeguard their sensitive information.
