A newly identified stealthy Python-based backdoor framework provides attackers with persistent remote command execution and surveillance capabilities on Windows computers, Securonix reports.
The malware’s infection chain starts with the execution of a batch script that disables the system’s security controls, including SmartScreen, firewall logging, Defender tamper protection, and Antimalware Scan Interface functions.
Next, it loads an embedded Python payload and establishes multi-layered persistence by modifying Run registries, creating scheduled tasks, and placing scripts in the Startup folder.
By embedding the payload directly into the batch script’s body, the malware’s developer simplifies delivery and evades network-based detection, Securonix explains.
Additionally, the directory in which the Python backdoor is deployed mimics legitimate Windows services to blend into normal system operations.
The script reconstructs the embedded payload, a backdoor dubbed Deep#Door, directly in memory and on disk, and initializes the command channel.
Executed at user logon, Deep#Door performs environment validation checks to ensure it is not executed in VMs, sandboxes, or analysis environments. For that, it checks for debuggers, specific virtualization artifacts, and behavioral and environmental characteristics.
Once active, the backdoor enables shell command execution, file manipulation, system and network reconnaissance, and surveillance operations such as keylogging, clipboard monitoring, screenshot capture, microphone and webcam access, and credentials and SSH key harvesting.
Additionally, the malware can shift from espionage to destructive operations, as it can overwrite the Master Boot Record, force system crashes, and exhaust system resources by spawning numerous processes.
“Deep#Door incorporates a layered and highly aggressive set of defense evasion techniques designed to bypass security controls, evade detection, and complicate forensic analysis. These mechanisms operate both before and during execution to ensure the implant remains stealthy throughout its lifecycle,” Securonix notes.
The malware dynamically constructs a range of possible communication ports, so it can reach its command-and-control (C&C) infrastructure even if specific ports are blocked, and uses public tunneling for covert and resilient communication that blends with legitimate traffic.
“Additionally, the combination of multi-layer persistence, advanced defense evasion (AMSI/ETW patching, ntdll unhooking), and in-memory stealth techniques allows the implant to operate with minimal forensic footprint while maintaining long-term access,” Securonix says, underlining that Deep#Door was likely built for espionage.
Related: US Federal Agency’s Cisco Firewall Infected With ‘Firestarter’ Backdoor
Related: 100 Chrome Extensions Steal User Data, Create Backdoor
Related: US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
Related: China-Linked Hackers Hit Asian Militaries in Patient Espionage Operation
