A sophisticated Python-based backdoor is targeting developer workstations to harvest browser cookies and cloud access tokens. This malware utilizes legitimate tunneling services to bypass firewalls and hide its command-and-control traffic from traditional network monitoring.
The malware, tracked as DEEP#DOOR, initiates its infection chain via a batch script that disables local security controls. Once persistent, it utilizes tunneling services like Ngrok or Cloudflare to establish an encrypted C2 channel. It specifically targets @[Google](urn:li:organization:1441) Chrome and other Chromium browsers to steal active session tokens, enabling attackers to hijack cloud provider and DevOps platform accounts without triggering MFA.
The use of legitimate tunneling services for C2 is a strategic evolution in stealth, as the traffic appears as authorized developer activity. By focusing on session tokens rather than just passwords, the adversary can bypass modern multi-factor authentication and maintain long-term access to sensitive cloud environments.
– Monitor for unauthorized installations of Ngrok, Cloudflare Tunnel, or similar services on developer workstations.
– Implement strict EDR rules to detect the execution of obfuscated batch scripts or the disabling of Windows Defender.
– Utilize session-binding and device-compliance checks to prevent the use of exfiltrated cookies on unauthorized devices.
– Educate development teams on the risks of running unverified scripts or utilities from untrusted sources.
When attackers “live off the tunnel,” traditional perimeter security is bypassed; defense must shift to behavioral analysis and identity-bound session management. #CodeDefence #Malware #CloudSecurity #Python
/
