Russian Hacking Group Deploys IronPython Malware LoaderTurla's 'IronNetInjector' Delivers ComRAT Trojan, Unit42 Reports
The Russian hacking group Turla is deploying an IronPython-based malware loader called "IronNetInjector" as part of a new campaign, Palo Alto's Unit42 reports.
See Also: The Anatomy of the Solarwinds Attack
Unit42 researchers report that the new loader delivers ComRAT, a remote access Trojan, by exploiting IronPython’s ability to use .NET framework APIs directly as well as Python libraries.
"IronNetInjector is made of an IronPython script that contains a .NET injector and one or more payloads," the report notes. "When an IronPython script is run, the .NET injector gets loaded, which in turn injects the payload(s) into its own or a remote process."
The latest loader comes with capabilities to obfuscate malware codes and encrypt and decrypt NET injector and payloads, according to the researchers.
Unit42 researchers identified two IronNetInjector variants compiled in 2018 and 2019. Both use full-blown portable executable injection toolsets, deployed for injecting and running codes inside another process memory.
While the 2018 loader was written in a much more specific manner, the researchers note the 2019 version is generically written and comes with capabilities to inject .NET assemblies into unmanaged processes.
IronNetInjector begins its function when the open-source Python programming language IronPython script is running. The malicious code is then loaded in the embedded .NET injector, which then decodes and decrypts the ComRAT Trojan.
Once the ComRAT is decrypted, the .NET injector takes control over the further execution, such as obfuscation and encryption, according to the report.
"The .NET injectors and bootstrappers contain clean code and meaningful function/method/variable names, and they use detailed log/error messages. Only the initial IronPython scripts are obfuscated to prevent easy detection," the researchers note.
Roger Grimes, defense evangelist at security firm KnowBe4, says since the .NET framework is mostly only run on Windows platforms, the impact of the tools is likely to be very low.
"On Microsoft Windows computers, it becomes yet another potential method among the myriad of options to possibly bypass or confuse anti-malware prevention and detection software," Grimes says.
To defend Windows users, security researchers will have to parse to detect any suspicious activities, Grimes says.
"Anti-malware software has to be aware of this new malware injection technique and be able to handle and parse it in a way to distinguish between legitimate and malicious uses. Out of the over 100 malware programs out, there is some percentage of them that will not be upgraded to detect this sort of technique, and so it helps malware developers," Grimes says.
Turla, which is also known as Belugasturgeon, Ouroboros, Snake, Venomous Bear and Waterbug, is reported to be part of Russia’s FSB (formerly KGB) and has carried out a series of operations targeting government and military agencies in at least 35 countries since 2008 (see: Russian Hackers Revamp Malware, Target Governments: Report).
The advanced persistent threat group has deployed a large malware arsenal that security researchers have documented over the past several years. The group's hacking tools include ComRAT network exfiltration malware and the HyperStack backdoor used to manipulate Windows APIs for persistence (see: Updated Malware Tied to Russian Hackers).
It is also not the first time the group has used legitimate tools and services as part of its malicious infrastructure.
In December 2020, security firm ESET uncovered a cyberespionage campaign by Turla that deployed a backdoor called "Crutch" that used Dropbox resources to help gather stolen data (see: Russian Hacking Group's Backdoor Uses Dropbox).