DEEP#DOOR: Stealthy Python Backdoor Targets Browser and Cloud Credentials via Tunneling Service

Overview

Cybersecurity researchers have unveiled a sophisticated Python-based backdoor framework known as DEEP#DOOR, designed to establish persistent access to compromised systems and exfiltrate sensitive data, including browser cookies, credentials, and cloud authentication tokens. This threat leverages a tunneling service to conceal its command-and-control (C2) traffic, making detection challenging.

Attack Chain

Initial Execution

The intrusion begins with the execution of a batch script, install_obf.bat, which is typically delivered via phishing emails or malicious downloads. This script serves as the initial dropper, extracting and executing the Python-based payload.

Disabling Windows Security Controls

One of the first actions of the script is to disable Windows security features, such as Windows Defender and User Account Control (UAC). It achieves this by modifying registry keys and stopping relevant services, thereby reducing the likelihood of immediate detection.

Capabilities of DEEP#DOOR

Persistent Access

DEEP#DOOR ensures long-term compromise by installing itself as a scheduled task or Windows service, automatically launching on system boot. It also employs obfuscation techniques to evade antivirus and endpoint detection solutions.

Data Harvesting

The backdoor is specifically designed to harvest a wide range of sensitive information, including:

• Browser-stored credentials (usernames, passwords) from Chrome, Firefox, Edge, and other popular browsers
• Session cookies and tokens for accessing web applications
• Cloud service API keys and authentication tokens from platforms like AWS, Azure, and Google Cloud
• System information (OS version, installed software, network configuration)

Tunneling Service Role

A key feature of DEEP#DOOR is its use of a public tunneling service to relay C2 communications. By routing traffic through a legitimate service (such as ngrok or similar), the backdoor bypasses network firewalls and intrusion detection systems, as the traffic appears to be normal web traffic destined for a trusted domain. This technique effectively hides the attacker's true infrastructure and complicates forensic analysis.

Browser and Cloud Credential Theft

Once access is established, DEEP#DOOR systematically extracts browser credential databases (e.g., Chrome's Login Data file) and cloud configuration files. It specifically targets:

1. Browser Credentials: Decrypts stored passwords using the browser's encryption mechanisms (e.g., DPAPI on Windows).
2. Cloud Tokens: Reads environment variables, configuration files, and credential manager entries that contain AWS Access Key ID, Azure Client Secret, and Google Cloud Service Account keys.

This data is then exfiltrated via the tunneling service to attacker-controlled servers, enabling lateral movement and cloud infrastructure compromise.

Conclusion

The discovery of DEEP#DOOR highlights the evolving sophistication of Python-based malware, particularly its integration of tunneling services to evade network defenses. Organizations are advised to enforce strict endpoint security policies, monitor for install_obf.bat execution, and implement multi-factor authentication for cloud accounts to mitigate such threats. Regular security awareness training can also reduce the risk of initial infection through phishing.