Deep#Door Python Backdoor Targets Windows Systems for Credential Theft

Severity: High (Score: 66.5)

Sources: Infosecurity-Magazine, Gbhackers, www.securonix.com

Summary

Deep#Door is a sophisticated Python-based backdoor identified by Securonix, targeting Windows systems for long-term surveillance and credential theft. The malware employs an obfuscated batch script to deploy a persistent implant that disables security features and communicates via a public TCP tunneling service. Key functionalities include stealing browser passwords, cloud tokens, SSH keys, and Wi-Fi credentials. It utilizes multiple persistence methods, such as registry run keys and scheduled tasks, to maintain access. The malware's self-contained design reduces network detection opportunities and complicates forensic analysis. Anti-analysis features check for virtual machines and debugging tools, further enhancing its stealth. The backdoor can also execute destructive actions, indicating potential for both espionage and disruption. Currently, organizations using Windows systems are at risk. Key Points: • Deep#Door uses an obfuscated batch script to deploy a persistent backdoor on Windows. • The malware disables security controls and hides its traffic through a public TCP tunneling service. • It targets sensitive information including passwords, tokens, and SSH keys.

Key Entities

• Malware (attack_type)
• Trojan (attack_type)
• Deep#Door (malware)
• T1003 - OS Credential Dumping (mitre_attack)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1047 - Windows Management Instrumentation (mitre_attack)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1056.001 - Keylogging (mitre_attack)
• Windows (platform)
• PowerShell (tool)