New Deep#Door RAT: Stealthy Windows Malware With Advanced Persistence Capabilities
- May 2
- 3 min read
Key Findings
Python-based remote access trojan embeds payload directly inside batch file dropper with no external downloads
Malware disables Windows Defender, PowerShell logging, firewall logging, and SmartScreen before activating
Establishes persistence through multiple mechanisms including startup folders, registry keys, scheduled tasks, and WMI subscriptions with automatic restoration capability
Uses bore.pub public TCP tunneling service for command-and-control instead of dedicated attacker infrastructure
Incorporates sandbox detection, AMSI patching, ETW patching, and other anti-analysis techniques to evade automated security scanning
Provides full remote access capabilities including command execution, screen capture, keylogging, credential theft, and potentially destructive actions like MBR overwrites
Background
Security researchers at Securonix discovered a sophisticated malware campaign called Deep#Door targeting Windows systems. The threat actors deployed a stealthy Python-based backdoor using an unusually simple delivery method to achieve persistent access. What distinguishes this campaign is the combination of stealth and sophistication in how it avoids detection while maintaining control.
Attack Chain and Initial Delivery
The attack begins with a single batch file named install_obf.bat. When executed, the script reads itself and extracts a hidden Python payload embedded directly within the batch file code. The extracted file, svc.py, is written to %LOCALAPPDATA%\SystemServices\, a deliberately chosen folder name designed to blend with legitimate Windows system components. This self-referential technique is particularly effective because it avoids suspicious external downloads, suspicious URLs at the staging phase, and compiled executables that would trigger alarms.
Defense Suppression
Before activating the Python implant, the loader systematically dismantles host defenses. Windows Defender is disabled, PowerShell logging is turned off, firewall logging is suppressed, and SmartScreen is bypassed. The malware applies numerous advanced evasion mechanisms including sandbox detection, AMSI and ETW patching, ntdll unhooking, Windows Defender tampering, command-line wiping, timestamp stomping, and log clearing. By the time the implant becomes active, the system is effectively blind to malicious activity.
Persistence Mechanisms
Deep#Door doesn't rely on a single persistence method. It simultaneously plants itself across multiple locations including the Windows Startup folder, registry Run keys, scheduled tasks, and WMI event subscriptions. A background watchdog thread continuously monitors these persistence points and automatically restores any that are deleted. This distributed approach means that simply removing one artifact doesn't clean the infection. All mechanisms must be addressed simultaneously, making manual remediation significantly more difficult for defenders.
Anti-Analysis and Sandbox Evasion
Before fully activating, the malware runs a series of checks to determine whether it's running on a real machine or inside an analysis environment. It searches for debuggers, virtual machine signatures, sandbox indicators like generic usernames or low system resources, and even security research tools such as Wireshark or IDA Pro. If suspicious indicators are detected, the malware remains dormant. This capability effectively bypasses automated scanning platforms that typically analyze samples in virtual or sandboxed environments.
Command-and-Control Strategy
Deep#Door uses an unconventional approach for command-and-control by leveraging bore.pub, a legitimate public TCP tunneling service, rather than connecting to a dedicated attacker server. The malware scans a dynamic range of ports to find an active tunnel and authenticates using a challenge-response mechanism. This approach eliminates the need for attacker-owned infrastructure, allows exposure of internal services to the internet without opening firewall ports, and blends malicious traffic with legitimate tunneling usage. The strategy significantly complicates attribution and makes network-based detection less reliable since traffic appears to connect to a legitimate service.
Capabilities and Threat Level
Once active, the implant functions as a fully featured remote access tool. Operators can execute shell commands, capture screenshots, record audio, log keystrokes, access the webcam, and harvest stored passwords from browsers. The malware can also steal SSH keys and cloud credentials, scan internal networks for further compromise, and perform destructive actions like overwriting the Master Boot Record or forcing system crashes. These capabilities suggest the threat actor could shift from espionage to sabotage if operational objectives change.
Detection and Defense Recommendations
Securonix recommends focusing detection efforts on behavioral signals rather than file signatures, as traditional file-based detection is likely to miss this threat. Defenders should monitor for PowerShell logging suppression, suspicious WMI event subscriptions, unexpected scheduled tasks, and unusual registry modifications. Network monitoring should flag connections to bore.pub and similar public tunneling services, though this requires understanding that legitimate use of these services also occurs in many environments.
Sources
https://securityaffairs.com/191567/malware/new-deepdoor-rat-uses-stealth-and-persistence-to-target-windows.html
https://x.com/shah_sheikh/status/2050501393459691696
https://x.com/Dinosn/status/2050556134583369910
https://www.linkedin.com/posts/pierluigipaganini_new-deepdoor-rat-uses-stealth-and-persistence-activity-7456256944446726144-DuDn
https://x.com/securityaffairs/status/2050491314743976416

Comments