IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.[1]

ID: S0581
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 24 February 2021
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1059 .006 Command and Scripting Interpreter: Python

IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

IronNetInjector has the ability to decrypt embedded .NET and PE payloads.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.[1]

Enterprise T1057 Process Discovery

IronNetInjector can identify processes via C# methods such as GetProcessesByName and running Tasklist with the Python os.popen function.[1]

Enterprise T1055 Process Injection

IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process.[1]

.001 Dynamic-link Library Injection

IronNetInjector has the ability to inject a DLL into running processes, including the IronNetInjector DLL into explorer.exe.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

IronNetInjector has used a task XML file named mssch.xml to run an IronPython script when a user logs in or when specific system events are created.[1]

Groups That Use This Software

ID Name References
G0010 Turla