New Find From Unit 42: Turla’s New Malware Loader, IronNetInjector

New Find From Unit 42: Turla’s New Malware Loader, IronNetInjector

Unit 42 researchers have discovered several malicious IronPython scripts designed to load and run Turla’s malware tools on a victim’s machine. 

Turla uses IronPython in an interesting way. This method is called bring your own Interpreter (BYOI) in which an interpreter (not present on the system by default) is used to run a malicious code in an interpreted programming or scripting language. It requires the use of an outside interpreter (absent from the system by default) to run malicious code in an interpreted programming or scripting language.

It were security researchers at FireEye who discovered the first malicious IronPython script last year. Earlier this year, another researcher found more new scripts from the same attacker on VirusTotal. These samples helped researchers at Unit 42 understand how the script functions and the tools used by threat actors.

New Find From Unit 42: Turla’s New Malware Loader, IronNetInjector
Decoded IronPython script + embedded .NET injector and ComRAT payload

The IronPython script is only the first part of the tool. The main job of running the malware is performed by the embedded process injector. Unit 42 researchers dubbed this tool chain IronNetInjector, which is a mixture of IronPython and NetInjector.

IronNetInjector consists of an IronPython script, which contains a .NET injector and one or more payloads (can also be .NET assembly (x86/64) or native PE (x86/64)). When running the IronPython script, it will load the .NET injection program, and then inject the payload into its own or remote process.

IronPython is so attractive for malware authors because they can make use .NET framework APIs without compiling a .NET assembly with the help of an outside interpreter. The analysts detail how the IronPython scripts work and how bad actors can use them to load payloads in a blog post on the Unit 42’s website.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share:

Share on facebook
Share on twitter
Share on linkedin