IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.
|Enterprise||T1059||.006||Command and Scripting Interpreter: Python||
IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
IronNetInjector has the ability to decrypt embedded .NET and PE payloads.
|Enterprise||T1036||.004||Masquerading: Masquerade Task or Service||
IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc.
|Enterprise||T1027||Obfuscated Files or Information||
IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.
IronNetInjector can identify processes via C# methods such as
IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process.
|.001||Dynamic-link Library Injection||
IronNetInjector has the ability to inject a DLL into running processes, including the IronNetInjector DLL into explorer.exe.
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task||
IronNetInjector has used a task XML file named