IronNetInjector: Weaponizing .NET Dynamic Language Runtime Engines

As adversaries evolve their Tactics, Techniques, and Procedures (TTPs) to stay ahead of defenders, Microsoft’s .NET Framework emerges as a common component found in the tradecraft of many contemporary Advanced Persistent Threats (APTs), whether through PowerShell or C#. Because of .NET’s ease of use and availability on every recent Windows system, it is at the forefront of modern TTPs and is a primary means of exploitation. This article considers the .NET Dynamic Language Runtime as an attack vector, and how APTs have utilized it for offensive purposes. The technique under scrutiny is Bring Your Own Interpreter (BYOI), which is the ability of developers to embed dynamic languages into .NET using an engine. The focus of this analysis is an adversarial use case in which APT Turla utilized BYOI as an evasion technique, using an IronPython .NET Injector named IronNetInjector. This research analyzes IronNetInjector and how it was used to reflectively load .NET assemblies. It also evaluates the role of Antimalware Scan Interface (AMSI) in defending Windows. Due to AMSI being at the core of Windows malware mitigation, this article further evaluates the memory patching bypass technique by demonstrating a novel AMSI bypass method in IronPython using Platform Invoke (P/Invoke).