"The intrusion chain begins with execution of a batch script ('install_obf.bat') that disables Windows security controls, dynamically extracts an embedded Python payload ('svc.py'), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions."
"What makes the attack chain noteworthy is that the core Python implant is embedded directly inside the dropper script, from where it's extracted, reconstructed, and executed. This reduces the need for repeatedly having to reach out to external infrastructure and minimizes the forensic footprint."
"Once launched, the malware establishes communication with 'bore[.]pub,' a Rust-based tunneling service, allowing the operator to issue commands that facilitate remote command execution and extensive surveillance."
DEEP#DOOR is a stealthy backdoor framework that utilizes a batch script to disable Windows security and deploy a Python payload. The malware establishes persistence through various methods, including Startup folder scripts and registry keys. It is likely distributed via phishing, though the extent of its spread is unknown. The embedded Python implant minimizes the need for external communication, reducing forensic detection. Once activated, it connects to a Rust-based tunneling service for remote command execution and extensive surveillance capabilities, including keylogging and credential harvesting from various platforms.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]