Deep#Door Stealer Harvests Browser Passwords, Cloud Tokens, SSH Keys, Wi-Fi Credentials
Key Takeaways A new Python-based malware, dubbed DEEP#DOOR, has been discovered, designed to operate as a sophisticated credential stealer and remote access tool. The malware infiltrates Windows...
Key Takeaways
- A new Python-based malware, dubbed DEEP#DOOR, has been discovered, designed to operate as a sophisticated credential stealer and remote access tool.
- The malware infiltrates Windows systems via an obfuscated batch script, “finallyJob.bat,” embedding its Python backdoor directly to evade network detection.
- DEEP#DOOR targets a wide array of sensitive data, including browser passwords, cloud authentication tokens (AWS, Azure, GCP), SSH keys, and Wi-Fi credentials.
- It employs advanced evasion techniques, such as disabling SmartScreen, patching AMSI and ETW, clearing event logs, and timestamp stomping, to maintain stealth and persistence.
- Once established, DEEP#DOOR provides full remote command execution, keylogging, webcam/microphone capture, and screen capture capabilities to attackers.
Cybersecurity researchers have uncovered a stealthy new Python-based malware framework named DEEP#DOOR. This potent threat acts as an obfuscated batch loader, deploying a persistent and comprehensive credential-stealing implant on Windows operating systems.
Table Of Content
The malware’s initial compromise typically involves an obfuscated batch script, often named “finallyJob.bat,” which serves as the primary execution vector. Uniquely, DEEP#DOOR incorporates its entire Python backdoor directly within this batch file, rather than relying on external downloads. This self-contained design significantly reduces the likelihood of network-based security solutions detecting the threat during its initial stages.
The infection initiates the moment an unsuspecting user executes what appears to be a benign batch file on a Windows machine. Analysts at Securonix Threat Research were instrumental in identifying and analyzing this sophisticated Python-based backdoor.
Infection Chain and Evasion Tactics
According to the researchers, the infection sequence begins with the execution of the batch script. This script dynamically extracts and runs an embedded Python Remote Access Tool (RAT) payload, typically named “c.py.” Following this, DEEP#DOOR establishes multiple persistence mechanisms, including scripts in the Startup folder, modifications to Registry Run keys, creation of Scheduled Tasks, and, optionally, WMI subscriptions.
Once activated, the malware communicates with attacker-controlled infrastructure through a publicly accessible TCP tunneling service. This enables remote operators to interact with the compromised system via designated ports. The backdoor grants extensive remote command execution and surveillance capabilities, encompassing keylogging, webcam photo capture, microphone recording, screen capture, and, crucially, credential harvesting.
Before deploying its core Python backdoor, DEEP#DOOR proactively thwarts runtime defenses. It disables Windows SmartScreen, patches Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), clears event logs, and employs timestamp stomping to obscure its activities. Further evasion techniques include sandbox detection, unhooking, tampering with Windows Defender, and stripping command-line arguments. This combination of advanced evasion and remote control makes DEEP#DOOR exceptionally difficult to detect once it has embedded itself within a network.
DEEP#DOOR’s Credential Harvesting Prowess
The most devastating aspect of DEEP#DOOR is its robust credential-harvesting engine. It systematically targets a broad spectrum of sensitive information, including passwords stored in web browsers, cloud authentication tokens, critical environment credentials, and SSH access keys. This comprehensive data exfiltration facilitates lateral movement and account compromise across an organization’s entire infrastructure.
Specifically, the stealer leverages dedicated functions like get_chrome_cred() and get_edge_cred() to access browser SQLite databases and extract cached login data. A separate get_ssh_key() function is designed to locate and exfiltrate private SSH keys, which are vital for remote server access. The malware also executes get_cloud_cred() to scan configuration files and environment variables for AWS, Azure, and Google Cloud Platform (GCP) credentials. Additionally, get_wifi_cred() probes the Windows Credential Manager and related registry locations to retrieve saved Wi-Fi passwords.
This multi-vector approach to data collection means that a single successful infection can expose an organization’s entire access surface. Once these credentials fall into the hands of attackers, re-entry into the network becomes trivial, even if the malware is detected and removed from the initial compromised host.
What You Should Do
- Exercise Caution with Executables: Avoid opening unknown batch files or script attachments, especially those arriving via email or suspicious shared links.
- Monitor for Anomalous Activity: Implement robust monitoring for unusual PowerShell and cmd.exe activity, particularly when combined with Base64-encoded commands.
- Audit Persistence Mechanisms: Regularly audit Registry Run keys, Startup folders, and Scheduled Tasks for any unauthorized or suspicious entries.
- Enable Tamper Protection: Ensure Windows Defender tamper protection is enabled to prevent malware from disabling built-in security features.
- Rotate Critical Credentials: Following any suspected compromise, promptly rotate cloud authentication tokens and SSH keys.
- Implement Network Monitoring: Deploy network monitoring solutions to detect suspicious outbound tunneling traffic over non-standard ports.
- Investigate System Activity: Investigate any processes making unexpected calls to webcams, microphones, or screen capture functionalities.
- Isolate and Analyze: Immediately isolate affected systems and conduct thorough forensic analysis to identify lateral movement paths and scope of compromise.
- Focus on Behavioral Analytics: Given DEEP#DOOR’s reliance on Python-based execution and obfuscated scripting, traditional antivirus tools may have limited effectiveness. Prioritize behavioral analytics and anomaly detection as primary defense layers.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.