turla-group

Turla’s new malware loader-IronNetInjector

Introduction

Recently, researchers disclosed that several malicious IronPython scripts were discovered, with the purpose of loading and running Turla‘s malware on the victim’s system. The way Turla uses IronPython is very new. The overall method is called bring your own translation (BYOI). It describes the use of an interpreter (not present on the system by default) to run malicious code in an interpreted programming or scripting language.

The first malicious IronPython script was discovered last year by security researchers at FireEye. Earlier this year, another researcher pointed out some new scripts from the same uploaded to VirusTotal from two different committers. We found that one of the committers also uploaded two other examples, which are most likely embedded payloads of IronPython scripts. These samples helped us understand how the works, the malware loaded and the used by threat actors.

Although the IronPython script is only the first part of the tool, the main task of loading the malware is done by the embedded process injector. We call this chain IronNetInjector , which is a mixture of IronPython and the injector’s internal project name NetInjector.

IronNetInjector consists of an IronPython script, which contains a .NET injector and one or more payloads. The payload can also be .NET assembly (x86/64) or native PE (x86/64). When running the IronPython script, it will load the .NET injection program, and then inject the payload into its own or remote process.

The key functions of the malicious IronPython script are as follows:

-Function and variable names are confused.
-The string is encrypted.
-Contains an encrypted .NET injector and one or more encrypted PE payloads.
-Pass parameters as the decryption key of the embedded .NET injector and PE payload.
-Embedded .NET injection program and payload are encoded with Base64 and encrypted with Rijndael.
-Write log messages to %PUBLIC%\Metadata.dat
-Write error messages to %PUBLIC%\Metaclass.dat

One of the decoded IronPython scripts:

ironnetinjector

IOCs

0674e34d0b01e1c71e4666da1f3b589f
d672139849f9855bfb703fcaec020a2f
9446059710c1869fc8aa9f0ef75d82f4
b11d85844af9fa84bf84ff746557f0b5
48f52e0c7aa72c2ccc5f5fcbd8e1290b
0ebe822e8c7ebb803ae5b6b74601c36f
e46da9ab2096ebb33279a808f5a7ee77
1777b81f3f87648b2344ea480bbcba65
98ce8c41188fcc1a92d0a23569c3765c
7fcd8d3fde761de1d894dcf87827dde3
eff5881b4bf83386e26c451ff7c34a90
f376bc51b1220e5fc520ce60762ac6ce
0133512142805b89b5a86dfa67a82aaedbbab69c
7e138c1337a29868fddfa99f52dfe1de38e46c9e
a91612cadaccc19d101710b0ae77151a7a1b043b
44efacb89badadb486839165aba4d1ecdf3f047e
347f31769431ad70147e68fbb6bfa1e17fe283e9
86681c0c9b171f1afef5b06104abe8abcf0c992e
ad81f2f00f25cd0e45151d42d63c46db3ae39bed
ae76df8def138b6d4c82984f7172ed5bba737e1b
2920d5e6c579fce772e5506caf03af65579088bd
f2284d4777d2b5d2faf33844084b94c9552d5294
d7a18413d8c2b2525a0c90aaa392bdaef377e2ec
3e65b2df40001253ad8d9a3430a597c7b028bae9
b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040
c430ebab4bf827303bc4ad95d40eecc7988bdc17cc139c8f88466bc536755d4e
c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad
8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72
b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3
b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d
3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6
a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc
c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9
63d7695dabefb97aa30cbe522647c95395b44321e1a3b08b8028e4000d1be15e
ba17af72a9d90822eed447b8526fb68963f0cde78df07c16902dc5a0c44536c4
82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93
a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56
18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746
a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061