New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials

Summary

DEEP#DOOR is a Python-based backdoor framework designed for persistent access, surveillance, and credential exfiltration. The malware utilizes a batch script to extract an embedded Python payload at runtime, leveraging public tunneling services to facilitate remote command execution and bypass network defenses.

Key Points

• Uses an initial batch script (install_obf.bat) to extract and execute an embedded Python payload (svc.py).
• Employs the bore.pub Rust-based tunneling service for Command and Control (C2) communication.
• Capable of harvesting credentials from Google Chrome, Mozilla Firefox, and Windows Credential Manager, as well as cloud environments including AWS, Google Cloud, and Microsoft Azure.
• Implements multiple persistence mechanisms, including Registry Run keys, scheduled tasks, Startup folder scripts, and WMI subscriptions.
• Features a watchdog mechanism designed to automatically recreate any deleted persistence artifacts.
• Includes advanced evasion techniques such as AMSI and ETW patching, NTDLL unhooking, and sandbox/VM detection.

Technical Details

The DEEP#DOOR intrusion chain is characterized by a fileless approach where the core Python implant is embedded directly within the dropper script. Upon execution, the install_obf.bat script disables Windows security controls and reconstructs the svc.py payload in memory, minimizing the forensic footprint and reducing the need for external infrastructure during the initial infection phase. Once established, the implant uses the bore.pub tunneling service to create a communication channel for a reverse shell, allowing for remote system reconnaissance, keylogging, and media capture (webcam and audio).

To maintain stealth, the framework incorporates a comprehensive suite of anti-analysis and defense evasion modules. These include the ability to suppress PowerShell logging, perform timestamp stomping, and clear system logs. The malware also targets Windows telemetry by patching the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and it employs NTDLL unhooking to evade detection by security software monitoring system calls. The modular nature of the framework allows for the integration of various post-exploitation tools, including SSH key extraction and clipboard monitoring.

Impact / Why It Matters

Developers and system administrators should monitor for unauthorized use of public tunneling services like bore.pub and implement strict execution policies for batch and Python scripts. The framework's ability to target cloud provider credentials (AWS, GCP, Azure) necessitates robust identity and access management (IAM) and the monitoring of anomalous credential usage.