S0581 IronNetInjector

IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.¹

Item	Value
ID	S0581
Associated Names
Type	TOOL
Version	1.0
Created	24 February 2021
Last Modified	20 May 2022
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.006	Python	IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.¹
enterprise	T1140	Deobfuscate/Decode Files or Information	IronNetInjector has the ability to decrypt embedded .NET and PE payloads.¹
enterprise	T1036	Masquerading	-
enterprise	T1036.004	Masquerade Task or Service	IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc.¹
enterprise	T1027	Obfuscated Files or Information	IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.¹
enterprise	T1057	Process Discovery	IronNetInjector can identify processes via C# methods such as `GetProcessesByName` and running Tasklist with the Python `os.popen` function.¹
enterprise	T1055	Process Injection	IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process.¹
enterprise	T1055.001	Dynamic-link Library Injection	IronNetInjector has the ability to inject a DLL into running processes, including the IronNetInjector DLL into explorer.exe.¹
enterprise	T1053	Scheduled Task/Job	-
enterprise	T1053.005	Scheduled Task	IronNetInjector has used a task XML file named `mssch.xml` to run an IronPython script when a user logs in or when specific system events are created.¹

Groups That Use This Software

ID	Name	References
G0010	Turla	¹

References

Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. ↩↩↩↩↩↩↩↩↩↩