Ironjaw

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
IronJaw is a sophisticated malware variant, primarily delivered through ISO files hosted on free hosting providers. It was first observed in late July and early August, attributed to the threat actor FROZENLAKE. The malware utilizes a small PowerShell script to steal browser login data and local state directories, exfiltrating them to a command and control server (C2). This script is executed once the malware infects a system, often without the user's knowledge. The delivery of IronJaw via exploitation of CVE-2023-38831 and the creation of a reverse SSH tunnel marked new additions to the typical FROZENLAKE toolkit. The malware gained more prominence when a sample named "IOC_09_11.rar" was uploaded to VirusTotal on September 11th. This sample exploited CVE-2023-38831 to drop a BAT file that opens a decoy PDF file, creates a reverse SSH shell to an attacker-controlled IP address, and executes the IronJaw script using PowerShell. In addition, researchers reported an APT28 attack that dropped the IronJaw PowerShell script, further highlighting the severity of this threat. IronJaw has been linked to attacks on various organizations in France and Ukraine, demonstrating its widespread impact. Notably, it has also been used to exploit the WinRAR flaw (CVE-2023-38831) to steal browser login data. The state-sponsored hackers behind these attacks have shown their adaptability by employing different methods to distribute the malware, including the abuse of known software vulnerabilities and the use of free hosting providers for exploits.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
State Sponso...
Vulnerability
Exploit
WinRAR
Exploits
Decoy
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
FrozenlakeUnspecified
1
Frozenlake, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor believed to be sponsored by the Russian military. The group has been involved in numerous cyber-attacks, primarily targeting Ukraine's energy sector. Their modus operandi includes exploiting vuln
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ironjaw Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
Government-backed actors exploiting WinRAR vulnerability
Securityaffairs
8 months ago
APT29 group exploited WinRAR 0day in attacks against embassies
CERT-EU
8 months ago
Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability
DARKReading
9 months ago
Patch Now: APTs Continue to Pummel WinRAR Bug
Securityaffairs
9 months ago
Multiple APT groups exploited WinRAR flaw CVE-2023-38831
CERT-EU
9 months ago
Russian and Chinese nation-state actors target recently patched WinRAR zero-day