Deep#Door Python Backdoor Targets Windows Systems for Credential Theft

Severity: High (Score: 66.5)

Sources: Infosecurity-Magazine, Gbhackers, Cybersecuritynews, www.securonix.com, Securityaffairs.Co

Summary

Deep#Door is a newly discovered Python-based backdoor targeting Windows systems, identified by Securonix. It employs an obfuscated batch script to deploy a persistent implant capable of long-term surveillance and credential theft. The malware disables Windows security features and uses a public TCP tunneling service to obscure its communications. Key targets include browser passwords, cloud tokens, SSH keys, and Wi-Fi credentials. Deep#Door's stealthy nature allows it to blend malicious activity with legitimate system behavior, complicating detection efforts. It features multiple persistence mechanisms and anti-analysis techniques, making it difficult to remove once installed. The malware can also cause system crashes and overwrite boot records, indicating potential for disruptive attacks. Currently, it poses a significant threat to Windows users, particularly in enterprise environments. Key Points: • Deep#Door uses an obfuscated batch script to deploy a persistent backdoor on Windows systems. • The malware disables security controls and communicates via a public TCP tunneling service. • It targets sensitive data including browser passwords, cloud tokens, and SSH keys.

Key Entities

• Malware (attack_type)
• Trojan (attack_type)
• CWE-200 - Exposure of Sensitive Information (cwe)
• Deep#Door (malware)
• T1003 - OS Credential Dumping (mitre_attack)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1047 - Windows Management Instrumentation (mitre_attack)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1056.001 - Keylogging (mitre_attack)
• Windows (platform)
• PowerShell (tool)