Skip to content

S0581 IronNetInjector

IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.1

Item Value
ID S0581
Associated Names
Version 1.0
Created 24 February 2021
Last Modified 20 May 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.006 Python IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.1
enterprise T1140 Deobfuscate/Decode Files or Information IronNetInjector has the ability to decrypt embedded .NET and PE payloads.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc.1
enterprise T1027 Obfuscated Files or Information IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.1
enterprise T1057 Process Discovery IronNetInjector can identify processes via C# methods such as GetProcessesByName and running Tasklist with the Python os.popen function.1
enterprise T1055 Process Injection IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process.1
enterprise T1055.001 Dynamic-link Library Injection IronNetInjector has the ability to inject a DLL into running processes, including the IronNetInjector DLL into explorer.exe.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task IronNetInjector has used a task XML file named mssch.xml to run an IronPython script when a user logs in or when specific system events are created.1

Groups That Use This Software

ID Name References
G0010 Turla 1