Threat actors are advocating a new post-exploitation framework called “Exfiltrator-22”, which is designed to distribute ransomware in companies’ networks while avoiding detection. According to threat analysis, the new framework was developed by former LockBit 3.0 affiliates who are professionals in anti-analysis and defense evasion and provides a robust solution for a subscription fee. Exfiltrator-22 costs between $1,000 per month and $5,000 for a lifetime subscription, which includes continuous updates and support. The framework buyers are provided an admin panel hosted on a secure VPS (virtual private server) from which they can control the framework’s malware and issue commands to infected systems.
The Exfiltrator-22’s initial version emerged in the wild in November 2022, and its author opened a Telegram group to promote the framework to other cybercriminals about 10 days later. Threat actors disclosed new features that assisted in traffic concealment on compromised devices at the end of 2022, showing that the framework was still in active development. EX-22 was considered 87% ready by the author in January 2023, and subscription fees were revealed, inviting users that are interested in purchasing access to the tool. Threat actors uploaded two YouTube videos demonstrating EX-22’s lateral movement and ransomware-spreading skills.
EX-22 includes features seen in other post-exploitation toolkits along with other features tailored towards ransomware deployment and data theft. The following are the framework’s highlighted features:
- Create a reverse shell with higher privileges.
- Files can be uploaded to compromised systems or downloaded from the host to the C2.
- Set up a keylogger to record keyboard input.
- Enable a ransomware module on infected devices to encrypt files.
- Take a screen capture from the victims’ computers.
- Launch live VNC (Virtual Networking Computing) sessions on compromised devices to gain real-time access.
- Obtain higher privileges on infected devices.
- Developed persistence between system reboots.
- Activate worm modules, which distribute malware to other devices on the same networks or public internet.
- Extracting data (passwords and tokens) from the LSAAS (Local Security Authority Subsystem Service).
- Create cryptographic hashes of files on hosts to assist in monitoring file locations and content change events.
- Acquire a list of running processes on infected devices.
- Take authentication tokens from compromised systems.
Using the Windows “EX-22 Command & Control” console program, the commands are sent to infected devices. The commands’ outputs are subsequently returned to the command-and-control server and shown directly in the console application. Additionally, cybercriminals can use the service’s web panel to arrange scheduled tasks, update agents to a new version, change campaigns’ configurations, or create new campaigns.
Evidence was discovered that EX-22 was created by LockBit 3.0 affiliates or ransomware operation’s development team members. The framework used the same “domain fronting” technique as LockBit and the TOR obfuscation plugin Meek, which assisted in concealing malicious traffic inside legitimate HTTPS connections to reputable platforms. An additional investigation discovered that EX-22 uses the same C2 infrastructure exposed previously in a LockBit 3.0 sample. However, Exfiltrator-22 looks to have been developed by knowledgeable malware authors capable of creating an evasive framework. Despite its expensive price, it’s projected to pique the interest of the cybercrime community, resulting in additional code development and feature improvements.
With ransomware groups developing new methods and techniques including post-exploitation tools, it’s important for companies to always remain alert to the current threat landscape and regularly update their networks’ security infrastructure. At SpearTip, our certified engineers are working continuously at our 24/7/365 Security Operations Center monitoring companies’ networks for potential ransomware threats, and ready to respond to incidents at a moment’s notice. Our engineers work to restore companies’ operations, reclaim their networks by isolating malware, and recover business-critical assets. We examine companies’ security posture to improve the weak points in their network and engage their people, processes, and technology to measure the maturity of the technical environment. We provide technical roadmaps, for all vulnerabilities uncovered, ensuring companies have the awareness and support to optimize their overall cybersecurity posture. SpearTip’s ShadowSpear Platform, our integrable managed detection and response tool, utilizes comprehensive insights through unparalleled data normalization and visualizations.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.