Ironjaw

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
IronJaw is a sophisticated malware variant, primarily delivered through ISO files hosted on free hosting providers. It was first observed in late July and early August, attributed to the threat actor FROZENLAKE. The malware utilizes a small PowerShell script to steal browser login data and local state directories, exfiltrating them to a command and control server (C2). This script is executed once the malware infects a system, often without the user's knowledge. The delivery of IronJaw via exploitation of CVE-2023-38831 and the creation of a reverse SSH tunnel marked new additions to the typical FROZENLAKE toolkit. The malware gained more prominence when a sample named "IOC_09_11.rar" was uploaded to VirusTotal on September 11th. This sample exploited CVE-2023-38831 to drop a BAT file that opens a decoy PDF file, creates a reverse SSH shell to an attacker-controlled IP address, and executes the IronJaw script using PowerShell. In addition, researchers reported an APT28 attack that dropped the IronJaw PowerShell script, further highlighting the severity of this threat. IronJaw has been linked to attacks on various organizations in France and Ukraine, demonstrating its widespread impact. Notably, it has also been used to exploit the WinRAR flaw (CVE-2023-38831) to steal browser login data. The state-sponsored hackers behind these attacks have shown their adaptability by employing different methods to distribute the malware, including the abuse of known software vulnerabilities and the use of free hosting providers for exploits.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ironjaw Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
Government-backed actors exploiting WinRAR vulnerability
Securityaffairs
6 months ago
APT29 group exploited WinRAR 0day in attacks against embassies
DARKReading
7 months ago
Patch Now: APTs Continue to Pummel WinRAR Bug
CERT-EU
6 months ago
Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability
CERT-EU
7 months ago
Russian and Chinese nation-state actors target recently patched WinRAR zero-day
Securityaffairs
7 months ago
Multiple APT groups exploited WinRAR flaw CVE-2023-38831