Deep#Door: Analyzing the Stealthy Python-Based RAT and Its Self-Contained Deployment Strategy

In the evolving landscape of malware delivery, simplicity often masks sophisticated intent. Deep#Door is a prime example: a stealthy, Python-based Remote Access Trojan (RAT) that leverages an obfuscated batch loader to deploy a persistent, high-impact surveillance implant on Windows environments.

Unlike many contemporary threats that rely on high-volume network downloads to fetch payloads, Deep#Door utilizes a “self-contained” architecture, making it significantly harder for network-based security controls to flag its initial infection vector.

The primary objective of this malware is data exfiltration, specifically targeting high-value credentials including browser-stored passwords, cloud service tokens, SSH keys, and Wi-Fi configurations. To achieve this, it doesn’t just run; it actively reconfigures the host operating system to facilitate its presence.

The Architecture of Obfuscation: Embedded Payloads

Recent threat research from Securonix identifies the entry point as a heavily obfuscated batch script, typically named install_obf.bat. This script serves a dual purpose: it acts as the execution engine and the storage container for the malicious payload.

The loader employs a clever self-referential parsing technique. By reading its own source code, the script uses regular expressions via a PowerShell sub-process to isolate a specific block of code delimited by #PYTHON_START and #PYTHON_END markers. This extracted block is then written to %LOCALAPPDATA%\SystemServices\svc.py—a directory path carefully chosen to mimic legitimate Windows service components, thereby evading casual observation by administrators.

Analysis of install_obf.bat showing embedded Python logic.
Visual analysis of the install_obf.bat loader (Source: Securonix).

Once the svc.py file is dropped, the malware enters its second layer of defense. The Python code utilizes Base64 encoding and XOR-based routines to mask critical strings, such as the Command and Control (C2) host information and authentication keys. Furthermore, rather than utilizing a static port—which is easily flagged by firewall signatures—the implant generates a dynamic port range at runtime, adding a layer of unpredictability to its communication profile.

The svc.py file located in the AppData directory.
The extracted svc.py payload residing in the local AppData folder (Source: Securonix).

System Degradation and Persistence Mechanisms

Deep#Door is not a passive occupant; it is an aggressive adversary. Before the Python RAT fully initializes, the loader executes a series of commands to blind the host’s defenses. Using PowerShell, it systematically disables Microsoft Defender features, including real-time monitoring, behavior monitoring, and IOAV scanning. To ensure its own longevity, it proactively adds exclusions for its working directory and any running Python processes.

To further reduce the forensic footprint, the malware suppresses:

  • SmartScreen: To prevent user-facing warnings during execution.
  • PowerShell Logging: Disabling script block logging and transcription to hide the commands used during the infection.
  • Windows Firewall Logging: To mask the outbound traffic sent to the C2.

Persistence is maintained through a multi-pronged approach. The malware drops a VBScript launcher into the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup folder and registers a Run key under HKCU. For advanced environments, it can implement scheduled tasks and WMI event subscriptions. To counter remediation attempts, a dedicated “watchdog” thread monitors these registry keys and files, automatically restoring them if an administrator or security tool attempts to delete them.

Malware persistence artifacts in the Startup folder.
Persistence via the Windows Startup folder (Source: Securonix).

C2 via Tunneling and Advanced Evasion Tactics

One of the most notable technical aspects of Deep#Door is its use of bore[.]pub, a public TCP tunneling service. By routing traffic through a legitimate tunneling service, the attackers can bypass traditional perimeter defenses that might otherwise block direct connections to suspicious IP addresses. The implant performs a custom challenge–response handshake to authenticate with the tunnel before establishing a persistent command loop.

To stay undetected during analysis, Deep#Door employs sophisticated anti-analysis techniques:

  • Environment Validation: It checks for debuggers, virtual machines, and sandboxes by inspecting hardware fingerprints, registry artifacts, and even monitoring for low system resource usage or a lack of human-like mouse/keyboard activity.
  • EDR Blinding: The malware attempts to patch the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). It may also attempt to unhook ntdll.dll to bypass the instrumentation used by Endpoint Detection and Response (EDR) tools.
  • Forensic Cleanup: It manipulates file timestamps (timestomping), wipes command-line arguments from memory, and interferes with Sysmon to leave as little evidence as possible for incident responders.

Defensive Recommendations

Defending against Deep#Door requires a shift from signature-based detection to behavioral-based monitoring. Security teams should prioritize the following:

  • Monitor for Self-Referential Execution: Flag batch or PowerShell scripts that attempt to read their own file content or use regex to extract large blocks of encoded data.
  • Watch for Security Control Modifications: Alert on any unauthorized attempts to disable Microsoft Defender, PowerShell logging, or Windows Firewall via command line.
  • Audit Tunneling Services: Monitor outbound traffic for connections to known tunneling services like bore[.]pub or ngrok, especially from non-administrative user processes.
  • Detect Persistence Anomalies: Implement strict monitoring for new entries in Registry Run keys, unexpected WMI subscriptions, and unauthorized files appearing in the Startup directory.

Related Articles

Back to top button