DEEP#DOOR: Stealthy Python Backdoor Targets Browser and Cloud Credentials via Tunneling Service
By
<h2>Overview</h2><p>Cybersecurity researchers have unveiled a sophisticated Python-based backdoor framework known as <strong>DEEP#DOOR</strong>, designed to establish persistent access to compromised systems and exfiltrate sensitive data, including browser cookies, credentials, and cloud authentication tokens. This threat leverages a tunneling service to conceal its command-and-control (C2) traffic, making detection challenging.</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnv1KtLLlZSnm9a16bN-o_szrBiAIN_QljTfe09K4RzFxSqhFADtuXmRzOPZ_Poazif-VadFAnRnboCWX5yZtc5JntGopn5Fy6T1X2BexXelFOxYtEA7qULoTCkAMwEybLf42JJ_yGjSPf_T-tjYvbqxscVgZ6OyL65yKcTjC0KQL48pgYLZUmLjxfBBhd/s1600/malware-data.jpg" alt="DEEP#DOOR: Stealthy Python Backdoor Targets Browser and Cloud Credentials via Tunneling Service" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure><h2 id="attack-chain">Attack Chain</h2><h3>Initial Execution</h3><p>The intrusion begins with the execution of a batch script, <code>install_obf.bat</code>, which is typically delivered via phishing emails or malicious downloads. This script serves as the initial dropper, extracting and executing the Python-based payload.</p><h3 id="disable-security">Disabling Windows Security Controls</h3><p>One of the first actions of the script is to disable Windows security features, such as <strong>Windows Defender</strong> and <strong>User Account Control (UAC)</strong>. It achieves this by modifying registry keys and stopping relevant services, thereby reducing the likelihood of immediate detection.</p><h2 id="capabilities">Capabilities of DEEP#DOOR</h2><h3>Persistent Access</h3><p>DEEP#DOOR ensures long-term compromise by installing itself as a scheduled task or Windows service, automatically launching on system boot. It also employs obfuscation techniques to evade antivirus and endpoint detection solutions.</p><h3>Data Harvesting</h3><p>The backdoor is specifically designed to harvest a wide range of sensitive information, including:</p><ul><li>Browser-stored credentials (usernames, passwords) from Chrome, Firefox, Edge, and other popular browsers</li><li>Session cookies and tokens for accessing web applications</li><li>Cloud service API keys and authentication tokens from platforms like AWS, Azure, and Google Cloud</li><li>System information (OS version, installed software, network configuration)</li></ul><h2 id="tunneling-service">Tunneling Service Role</h2><p>A key feature of DEEP#DOOR is its use of a public tunneling service to relay C2 communications. By routing traffic through a legitimate service (such as <em>ngrok</em> or similar), the backdoor bypasses network firewalls and intrusion detection systems, as the traffic appears to be normal web traffic destined for a trusted domain. This technique effectively hides the attacker's true infrastructure and complicates forensic analysis.</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyqUz0-ifa8jE9rCzud3wzxmhcuzTp1VOWFEvGMoZXDYfaB_4459fPyvyQw7wvAnzjzDL09PkyJM83QGheO69fC3esg1WA7WnJ89i_t_q3K8DxYmgV__QujU8RWRnCK4MpbKqu8nwuMFfLaiRVHy_ov7IZ16hoKI3rIu-5BcISmqXPjlQU7N0sa4lWI-n-/s728-e100/wiz-d.png" alt="DEEP#DOOR: Stealthy Python Backdoor Targets Browser and Cloud Credentials via Tunneling Service" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure><h2 id="credential-theft">Browser and Cloud Credential Theft</h2><p>Once access is established, DEEP#DOOR systematically extracts browser credential databases (e.g., Chrome's Login Data file) and cloud configuration files. It specifically targets:</p><ol><li><strong>Browser Credentials:</strong> Decrypts stored passwords using the browser's encryption mechanisms (e.g., DPAPI on Windows).</li><li><strong>Cloud Tokens:</strong> Reads environment variables, configuration files, and credential manager entries that contain <strong>AWS Access Key ID</strong>, <strong>Azure Client Secret</strong>, and <strong>Google Cloud Service Account keys</strong>.</li></ol><p>This data is then exfiltrated via the tunneling service to attacker-controlled servers, enabling lateral movement and cloud infrastructure compromise.</p><h2 id="conclusion">Conclusion</h2><p>The discovery of DEEP#DOOR highlights the evolving sophistication of Python-based malware, particularly its integration of tunneling services to evade network defenses. Organizations are advised to enforce strict endpoint security policies, monitor for <code>install_obf.bat</code> execution, and implement multi-factor authentication for cloud accounts to mitigate such threats. Regular security awareness training can also reduce the risk of initial infection through phishing.</p>
Tags: