Cybersecurity researchers have revealed details of a stealth Python-based backdoor framework called DEEP#DOOR that has the ability to establish persistent access and collect a wide range of sensitive information from compromised hosts.
“The compromise chain begins with the execution of a batch script (‘install_obf.bat’) that disables Windows security controls, dynamically extracts an embedded Python payload (‘svc.py’), and establishes persistence through multiple mechanisms including startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions,” said Shikha, Securonix researcher Akshay Gaikwad. Sangwan, and Aaron Beardslee said in the article. The report was shared with The Hacker News.
Batch scripts are known to be distributed through traditional methods such as phishing. At this time, it is unclear how widespread attacks distributing malware are and whether their infections were successful.
What is notable about this attack chain is that the core Python implant is embedded directly within the dropper script, from which it is extracted, reassembled, and executed. This reduces the need for repeated access to external infrastructure and minimizes the forensic footprint.
Once launched, the malware establishes communication with “Boa”.[.]pub is a Rust-based tunneling service that allows operators to issue commands that facilitate remote command execution and pervasive monitoring. This includes:
Reverse Shell System Reconnaissance Keylogging Clipboard Monitoring Screenshot Capture Webcam Access Ambient Audio Recording Web Browser Credential Collection SSH Key Extraction Credentials Stored in Google Chrome, Mozilla Firefox, and Windows Credential Manager Cloud Credential Theft (Amazon Web Services, Google Cloud, and Microsoft Azure)
Using a public TCP tunneling service for command and control (C2) has several advantages in that it eliminates the need to set up dedicated infrastructure, avoids mixing malicious traffic, and avoids embedding server details within the payload.
In parallel, DEEP#DOOR includes sandboxing, debugger, virtual machine (VM) discovery, AMSI and Event Tracing for Windows (ETW) patching, NTDLL unhooking, Microsoft Defender tampering, SmartScreen bypass, PowerShell log suppression, command line wipe, timestamp stomping, and logging. It incorporates a series of analytical prevention and defense evasion mechanisms, such as clear, that fly under the radar and complicate incident response efforts.
It also employs multiple persistence mechanisms, including the creation of Windows startup folder scripts, registry execution keys, and scheduled tasks. It also relies on a watchdog mechanism to ensure that persistence artifacts are not deleted and to automatically recreate them if they are, making them difficult to repair.
“The resulting implant operates as a full-featured remote access Trojan (RAT) capable of long-term persistence, espionage, lateral movement, and post-exploitation operations within a compromised environment,” Securonix said. “This implant prioritizes detection evasion and forensic visibility by directly modifying Windows security and telemetry mechanisms.”
“DEEP#DOOR highlights the continued evolution of threat actors towards fileless, script-driven intrusion frameworks that rely heavily on native system components and interpreted languages such as Python. By embedding payloads directly within droppers and extracting them at runtime, malware significantly reduces external dependencies and limits traditional detection opportunities.”
Source link
