Scripts related to the "Snakes on a Domain" Huntress Blog Post
Full Blog can be found here https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader
The main script is a python implementation of the "Cipher" encoding function found in the malware described above.
The cipher function takes a base64 input and a key, and implements a custom decoding routine to produce shellcode or a .NET RAT.
This function is commonly found in malware loaded by IronPython, and is potentially related to the IronNetInjector used by Turla.
Alternatively, this may just be a complex loader for an AsyncRAT infection.
https://unit42.paloaltonetworks.com/ironnetinjector/
cipherdecode.py --file <filename.b64> --key <keyfrommalware>
