A new Python-based backdoor has been discovered by security researchers, using a legitimate tunnel service as a bridge to steal credentials. The malware spreads through malicious files and applies evasion techniques to bypass antivirus software. Once inside, it establishes encrypted connections with a C2 server, making it difficult to block its traffic. Its goal is to steal passwords stored in browsers like Chrome and Firefox, as well as access to cloud platforms such as AWS and Azure.
Legitimate tunnels as cover for data theft 🕳️
The backdoor uses a legitimate tunnel service to mask its command and control traffic, complicating detection by perimeter security systems. Written in Python, it uses standard libraries to interact with the operating system, extract data from browser password stores, and collect cloud service credentials via APIs. Its modular design allows updating theft modules without modifying the malware's core. Researchers note that its evasion capabilities include sandbox checks and execution delays to avoid automated analysis.
Cybercriminals also know how to use VPNs, but for stealing 🦹
It seems even the bad guys have modernized and now use VPN tunnels like any office worker wanting to watch Netflix from work. The difference is they're not looking for series, but your AWS and Azure passwords. The saddest part is that the tunnel service is completely legal and legitimate, so we can't even blame the tool. It's like a thief using an Uber to get to your house: the car isn't at fault, but the ride is still suspicious.