Cybersecurity researchers have identified a new Python-based backdoor framework, tracked internally as DEEP#DOOR, which is designed to establish persistent access to compromised systems and exfiltrate a wide range of sensitive information, including browser and cloud service credentials.

The discovery was detailed in a report published by security firm Securonix, which outlined how the malicious framework operates. The attack chain begins when a victim executes a batch script, named install_obf.bat. According to the researchers, this script performs multiple malicious actions in sequence.

The first task of the script is to disable Windows security controls. It does so by adding specific registry keys to tamper with Microsoft Defender Antivirus and by modifying Windows Event Tracing settings to evade detection. Once these defenses are lowered, the script dynamically extracts an embedded payload.

This payload contains the core of the DEEP#DOOR backdoor, a Python-based framework that communicates with a remote command-and-control server. A notable aspect of the operation is its use of a legitimate tunneling service to mask its network traffic. This technique allows the malicious traffic to blend in with normal internet activity, making it harder for security tools to flag the connection as suspicious.

Capabilities of the Backdoor

Once implanted, the backdoor provides attackers with a full set of capabilities for data theft and persistent access. The malware is programmed to target stored credentials from major web browsers, including credentials, cookies, and autofill data. It also focuses on cloud service credentials, particularly those associated with platforms like Amazon Web Services and Microsoft Azure, allowing attackers to potentially move laterally within a victim’s cloud environment.

Beyond credential theft, DEEP#DOOR includes functionality to capture keystrokes, take screenshots, and enumerate system files. The researchers noted that the framework acts as a persistent foothold, allowing the attacker to download additional modules and execute arbitrary commands on the host.

Attack Vector and Initial Access

The researchers did not specify the exact initial infection vector used to deliver the install_obf.bat script in the cases they observed. However, they noted that such backdoors are often distributed through phishing emails, malicious downloads, or software supply chain compromises. The script itself is obfuscated to avoid simple pattern-based detection by antivirus software.

The use of a known tunneling service for command-and-control communication is a growing trend in cyberattacks. By routing traffic through legitimate services, attackers can bypass network-based security controls that block traffic to unknown or malicious domains.

Implications for Security Teams

The discovery of DEEP#DOOR highlights several ongoing challenges for cybersecurity defenders. The combination of a Python-based payload, which is a common and often trusted scripting language, and the abuse of legitimate services complicates detection and response efforts.

Security teams are advised to monitor for unusual batch script executions, particularly those that modify security settings or dynamically extract embedded archives. Additionally, network monitoring should focus on identifying anomalous traffic patterns, even those directed at known and trusted external services.

Source: SecurityWeek (Based on Securonix research)