From APT28 to RePythonNET: automating .NET malware analysis

Key Takeaways

• APT28 utilizes a customized Covenant Grunt implant featuring a C2Bridge that leverages Koofr or Filen APIs for covert communication.
• The Covenant payload employs string encryption and randomized function names to hinder static analysis.
• Sekoia released RePythonNET-MCP, an open-source tool combining pythonnet, dnlib, and ILSpy to automate .NET malware decompilation and patching.
• AI assistants can be integrated with RePythonNET-MCP to autonomously decompile code, rename functions, and extract C2 configurations.

Affected Systems

• Windows
• .NET Framework

Attack Chain

APT28 deploys a Covenant Grunt implant to target systems. To evade detection, the implant uses a custom C2Bridge that communicates via the Koofr or Filen APIs, relying on file uploads and downloads rather than direct network connections. The malware protects its configuration and logic using randomized function names and encrypted strings, which are decrypted at runtime via a static constructor initialization.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article focuses on reverse engineering methodologies and tooling (RePythonNET-MCP) rather than providing explicit detection rules.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the execution of the Covenant Grunt and potentially the .NET assembly loading, but the C2 traffic is masked as legitimate API traffic to cloud providers. Network Visibility: Low — C2 communications blend in with legitimate HTTPS traffic to cloud storage providers (Koofr/Filen), making network-based detection difficult without SSL inspection and specific API endpoint monitoring. Detection Difficulty: Hard — The use of legitimate cloud services for C2 and heavy obfuscation of the .NET payload requires advanced memory analysis or reverse engineering to extract the true configuration.

Required Log Sources

• Process Creation
• Network Connections
• .NET ETW / Assembly Load Events

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusual .NET processes making continuous, automated API calls to cloud storage services like Koofr or Filen, which may indicate a custom C2 bridge.	Network flow logs, DNS queries, EDR network events	Command and Control	Medium
Monitor for unknown or unsigned .NET assemblies loading into memory with high entropy or obfuscated module names.	EDR assembly load events, ETW .NET provider	Execution	High

Control Gaps

• Network egress filtering for cloud storage APIs
• Static analysis of obfuscated .NET binaries

Key Behavioral Indicators

• Unusual API traffic to Koofr or Filen
• In-memory .NET assemblies with randomized function names

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block access to Koofr and Filen domains if they are not required for business operations.

Infrastructure Hardening

• Implement strict egress filtering to limit access to unauthorized cloud storage and file-sharing services.

User Protection

• Ensure EDR solutions are configured to monitor .NET assembly loads and ETW telemetry.

Security Awareness

• Train SOC analysts on the use of legitimate cloud services for C2 (living off the cloud).

MITRE ATT&CK Mapping

• T1027 - Obfuscated Files or Information
• T1027.005 - Indicator Removal from Tools
• T1071.001 - Web Protocols
• T1102.002 - Bidirectional Communication

Additional IOCs

• File Hashes:
  • 69609e89b04d8d27dc47bda2971376cfd760abb40ffe325f00d0cf3303be8906 (sha256) - APT28 Covenant Grunt sample
• Other:
  • 8e1e3a117f - Decrypted configuration string extracted from APT28 Covenant sample (observed in analysis images)
  • ElbkO0c+oZvMOfjAsWNKjkNmALQMcTEcwxu07h7w824= - Decrypted configuration string extracted from APT28 Covenant sample (observed in analysis images)