TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Security Affairs

New Deep#Door RAT uses stealth and persistence to target Windows

Pierluigi Paganini · 4 days ago · Read original ↗

ATT&CK techniques detected

10 predictions
T1572Protocol Tunneling
98%
"this helps it evade automated scanning platforms, which typically analyze samples in virtual or sandboxed environments. for command - and - control, deep # door takes an unconventional approach. instead of connecting to a dedicated attacker server, which would be easier to detect…"
T1059.001PowerShell
95%
"of the same service. once active, the implant is a fully featured remote access tool. operators can execute shell commands, capture screenshots, record audio, log keystrokes, access the webcam, harvest stored passwords from browsers, steal ssh keys and cloud credentials, and scan…"
T1059.001PowerShell
86%
"##f. bat. when executed, this script reads itself, literally parsing its own contents to extract a hidden python payload embedded directly inside the script. the extracted file, svc. py, is then written quietly to % localappdata % \ systemservices \, a folder name deliberately ch…"
T1572Protocol Tunneling
85%
"external dependencies and limits traditional detection opportunities. ” concludes the report. “ the use of public tunneling infrastructure ( bore [. ] pub ) further eliminates the need for dedicated attacker - controlled servers, enabling covert and resilient command - and - cont…"
T1056.001Keylogging
67%
"of the same service. once active, the implant is a fully featured remote access tool. operators can execute shell commands, capture screenshots, record audio, log keystrokes, access the webcam, harvest stored passwords from browsers, steal ssh keys and cloud credentials, and scan…"
T1055.001Dynamic-link Library Injection
65%
"##f. bat. when executed, this script reads itself, literally parsing its own contents to extract a hidden python payload embedded directly inside the script. the extracted file, svc. py, is then written quietly to % localappdata % \ systemservices \, a folder name deliberately ch…"
T1055.001Dynamic-link Library Injection
57%
"new deep # door rat uses stealth and persistence to target windows deep # door hides a python rat inside a batch file, kills windows defenses, survives via multiple persistence methods, and exfiltrates data through a public tcp tunnel. security researchers at securonix uncovered …"
T1547.001Registry Run Keys / Startup Folder
40%
"##ing, ntdll unhooking, windows defender tampering, command - line wiping, timestamp stomping, and log clearing. ” continues the report. deep # door doesn ’ t rely on a single method to survive reboots. it plants itself across multiple locations simultaneously, the windows startu…"
T1046Network Service Discovery
40%
"this helps it evade automated scanning platforms, which typically analyze samples in virtual or sandboxed environments. for command - and - control, deep # door takes an unconventional approach. instead of connecting to a dedicated attacker server, which would be easier to detect…"
T1497.001System Checks
39%
"##ing, ntdll unhooking, windows defender tampering, command - line wiping, timestamp stomping, and log clearing. ” continues the report. deep # door doesn ’ t rely on a single method to survive reboots. it plants itself across multiple locations simultaneously, the windows startu…"

Summary

Deep#Door hides a Python RAT inside a batch file, kills Windows defenses, survives via multiple persistence methods, and exfiltrates data through a public TCP tunnel. Security researchers at Securonix uncovered a sophisticated malware campaign called Deep#Door. Threat actors employed a stealthy Python-based backdoor that uses a surprisingly simple delivery method to achieve deep, persistent access […]