Ironjaw

IronJaw is a sophisticated malware variant, primarily delivered through ISO files hosted on free hosting providers. It was first observed in late July and early August, attributed to the threat actor FROZENLAKE. The malware utilizes a small PowerShell script to steal browser login data and local state directories, exfiltrating them to a command and control server (C2). This script is executed once the malware infects a system, often without the user's knowledge. The delivery of IronJaw via exploitation of CVE-2023-38831 and the creation of a reverse SSH tunnel marked new additions to the typical FROZENLAKE toolkit. The malware gained more prominence when a sample named "IOC_09_11.rar" was uploaded to VirusTotal on September 11th. This sample exploited CVE-2023-38831 to drop a BAT file that opens a decoy PDF file, creates a reverse SSH shell to an attacker-controlled IP address, and executes the IronJaw script using PowerShell. In addition, researchers reported an APT28 attack that dropped the IronJaw PowerShell script, further highlighting the severity of this threat. IronJaw has been linked to attacks on various organizations in France and Ukraine, demonstrating its widespread impact. Notably, it has also been used to exploit the WinRAR flaw (CVE-2023-38831) to steal browser login data. The state-sponsored hackers behind these attacks have shown their adaptability by employing different methods to distribute the malware, including the abuse of known software vulnerabilities and the use of free hosting providers for exploits.