DEEP#DOOR Backdoor Harvests Passwords, Cloud Tokens, SSH Keys

Security researchers at Securonix have disclosed a sophisticated Python-based backdoor dubbed DEEP#DOOR that combines full remote access capabilities with an aggressive credential-stealing engine targeting browser passwords, cloud authentication tokens, SSH keys, and Wi-Fi credentials.

The malware stands out for its defense evasion techniques: rather than operating traditional command-and-control infrastructure, DEEP#DOOR routes all traffic through bore.pub, a legitimate Rust-based TCP tunneling service. This makes network-based detection difficult since the traffic blends with normal activity and exposes no hardcoded attacker IP addresses.

How the Infection Chain Works

DEEP#DOOR arrives as an obfuscated batch script named install_obf.bat that executes directly via command line, avoiding the need to download external payloads that might trigger alerts.

The dropper reads its own file contents using PowerShell regex matching to extract an embedded Python payload located between #PYTHON_START and #PYTHON_END markers. This self-referential technique is unusual and worth flagging in behavioral monitoring rules. The extracted svc.py file writes to %LOCALAPPDATA%\SystemServices\, mimicking legitimate Windows service directories.

Configuration values are Base64-encoded with XOR obfuscation (key 0x55) to conceal infrastructure details from static analysis tools.

Before the main payload activates, the loader systematically disables security controls:

1. Windows Defender real-time and behavior monitoring disabled via registry
2. PowerShell script block and transcription logging suppressed
3. Firewall connection logging turned off using netsh commands
4. SmartScreen reputation checks bypassed

This pre-execution tampering mirrors techniques we covered in the ASP.NET Core privilege escalation analysis, where attackers disable protections before deploying their main payload.

Multi-Layer Persistence

DEEP#DOOR establishes persistence through four redundant mechanisms:

• Startup Folder: A VBScript launcher (SystemServices.vbs) drops into the user's Startup directory and executes silently at logon
• Registry Run Key: Standard HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry maintains execution across reboots
• Watchdog Thread: A background process continuously monitors for deleted persistence artifacts and automatically restores them
• WMI Subscriptions: Optional event-based triggers provide additional redundant activation paths

The watchdog thread is particularly annoying for incident responders. Deleting the startup script or registry key without killing the malware process first just results in the artifact reappearing.

Credential Harvesting Targets

The implant targets multiple credential sources across the compromised system:

• Browser password databases from Chrome, Edge, and Firefox via SQLite extraction
• Windows Credential Manager enumeration
• Cloud credentials including AWS, Azure, and GCP environment variables and config files
• SSH private keys from user directories
• Wi-Fi credentials via system queries

This broad targeting resembles the credential theft patterns seen in recent PyTorch Lightning supply chain attacks, where attackers prioritize cloud credentials alongside traditional browser-stored passwords.

Surveillance and Remote Access

Beyond credential theft, DEEP#DOOR provides full RAT functionality:

• Keystroke capture via Windows API polling
• Desktop screenshot capture using PowerShell and GDI
• Webcam access through multiple fallback methods (OpenCV, DirectShow, native APIs)
• Microphone audio recording
• Clipboard content monitoring
• Arbitrary shell command execution
• File upload and download operations
• Internal network scanning and reconnaissance
• Destructive capabilities including MBR overwriting

C2 Through Legitimate Tunneling

Rather than maintaining dedicated C2 servers that could be identified and blocked, DEEP#DOOR leverages bore.pub, a public TCP tunneling service. The malware dynamically generates a port range (41234-41243) at runtime, launches up to 100 concurrent worker threads scanning ports 1024-65535, and performs SHA256 challenge-response authentication using an embedded credential.

This approach eliminates attacker infrastructure exposure and means traditional IOC-based blocking of C2 domains won't work. Network defenders need to monitor for unusual connection patterns to the bore.pub domain itself.

Anti-Analysis Capabilities

DEEP#DOOR incorporates extensive environment validation to prevent sandbox and VM execution:

• Debugger detection via IsDebuggerPresent API, NtQueryInformationProcess checks, PEB flag inspection, and timing-based detection
• VM detection through registry artifacts, hardware fingerprinting, MAC address OUI analysis, and CPUID hypervisor bit checking
• Sandbox detection using generic username identification, analysis tool process enumeration, and user activity monitoring

Post-execution, the malware patches AMSI and ETW functions in memory, unhooks ntdll to remove EDR instrumentation, wipes command-line arguments from process memory, and terminates Sysmon while clearing event logs.

Indicators of Compromise

SHA256	Filename
2c2386ef6416ce821e377223d2a3b79f2b7ea9e8dc9ed2549f4676fe060b7ddd	install_obf.bat
84515368e2f8ff4467e38bf48dabb267b5b895f54df5be5ceb5428a414ae15e9	svc.py
c6f00569913cd6bd1017b26bd33bbb28f1d92b9c9e0f830adcc24af59e181d3e	SystemServices.vbs

C2 Domain: bore[.]pub

Detection Recommendations

Monitor for self-referential file parsing (%~f0 in PowerShell), regex-based extraction patterns within scripts, and writes to suspicious service-mimicking directories. Enable PowerShell Script Block Logging (Event ID 4104) and alert on Windows Defender configuration changes via Set-MpPreference abuse.

For persistence, track Startup folder modifications, Registry Run key changes, and WMI event subscription creation. Flag outbound connections to bore.pub and alert on sequential TCP port scanning in the 41234-41243 range.

Organizations concerned about this threat category should review our malware defense guide for additional hardening recommendations.