Unveiling DEEP#DOOR: A Python Backdoor Targeting Browser and Cloud Credentials via Tunneling
DEEP#DOOR, a Python backdoor, steals browser and cloud credentials via tunneling services, disabling Windows security to gain persistent access.
Cybersecurity researchers have recently uncovered a sophisticated Python-based backdoor framework known as DEEP#DOOR, designed to establish persistent access to compromised systems and stealthily exfiltrate a wide array of sensitive data. This threat specifically targets browser-stored credentials and cloud service authentication tokens, leveraging tunneling services to maintain covert communication channels. The following analysis breaks down the attack chain, core capabilities, and recommended defenses against this emerging threat.
Infection Chain: How DEEP#DOOR Gains a Foothold
The intrusion begins with a seemingly innocuous execution that rapidly escalates into full system compromise. Understanding each stage of this chain is critical for detection and prevention.
Initial Execution via Obfuscated Batch Script
Attackers deploy the backdoor through a batch script named install_obf.bat. This script is heavily obfuscated to evade signature-based detection and static analysis. Upon execution, it initiates a sequence of commands that download and unpack the main payload components from a remote server. The script also performs environment checks to ensure it is running on a target Windows system before proceeding to the next phase.
Disabling Windows Security Controls
One of the first actions taken by install_obf.bat is to tamper with native Windows security mechanisms. It attempts to disable Windows Defender real-time monitoring, modify registry keys to lower User Account Control (UAC) settings, and stop security-related services. By neutralizing these defenses early, the malware reduces the likelihood of immediate detection and allows subsequent payloads to execute undisturbed. This stage also establishes persistence by adding scheduled tasks or registry run keys to ensure the backdoor survives reboots.
Core Capabilities of the DEEP#DOOR Backdoor
Once installed, DEEP#DOOR operates as a modular framework, enabling attackers to dynamically load additional functionalities. Its primary objective is credential theft, but it also supports remote command execution, file exfiltration, and system surveillance.
Browser Credential Harvesting
The backdoor includes specialized modules to extract saved passwords, cookies, and autofill data from popular browsers such as Chrome, Firefox, and Edge. It targets encrypted credential stores by leveraging Windows API calls and direct database access (e.g., Chrome's Login Data SQLite file). Decryption is achieved using the Windows Data Protection API (DPAPI) or by stealing the master decryption key from memory. Harvested credentials are temporarily stored in encrypted form before exfiltration.
Cloud Credential and Token Theft
Beyond browser data, DEEP#DOOR specifically hunts for cloud service credentials. It scans for stored tokens and session files associated with AWS CLI, Azure PowerShell, Google Cloud SDK, and other cloud management tools. By stealing these tokens, attackers can gain persistent, authenticated access to cloud environments, often without triggering additional authentication prompts. This allows them to pivot within cloud infrastructure, deploy resources, or access sensitive data stored in S3 buckets, Azure Blob Storage, or similar services.
Utilizing Tunneling Services for Covert Communication
A distinctive aspect of DEEP#DOOR is its reliance on legitimate tunneling services to maintain command-and-control (C2) communications. Instead of using custom servers or known malicious IPs, the backdoor routes traffic through services like ngrok or similar reverse proxies. This technique effectively masks the true C2 endpoint, making it appear as benign outbound traffic to a legitimate service. The tunneling also provides end-to-end encryption, hindering network-based detection and deep packet inspection. In some observed cases, the malware uses multiple tunneling endpoints in a rotation scheme to increase resiliency against takedowns.
Conclusion and Mitigation Strategies
The DEEP#DOOR backdoor represents a growing trend among threat actors: leveraging legitimate tools and services to blend in with normal network traffic while focusing on credential theft. Organizations should implement the following measures to reduce risk:
- Enforce application whitelisting to block unauthorized scripts like
install_obf.batfrom executing. - Monitor for unusual PowerShell or cmd activity, especially scripts that disable security controls.
- Use Endpoint Detection and Response (EDR) solutions that can detect behavior such as DPAPI access or browser database queries.
- Implement network segmentation and restrict outbound connections to known tunneling services unless explicitly needed.
- Regularly rotate cloud service keys and monitor for anomalous token usage via cloud provider logs (e.g., AWS CloudTrail, Azure Activity Logs).
- Educate users about the dangers of executing unsolicited scripts or enabling macros from untrusted sources.
By understanding the mechanics of DEEP#DOOR and proactively hardening defenses, security teams can better protect sensitive credentials and infrastructure from this stealthy Python-based adversary.