Threat actors are promoting a new ‘Exfiltrator-22’ post-exploitation framework designed to spread ransomware in corporate networks while evading detection.
Threat analysts at CYFIRMA claim that this new framework was created by former Lockbit 3.0 affiliates who are experts in anti-analysis and defense evasion, offering a robust solution in exchange for a subscription fee.
The prices for Exfiltrator-22 range between $1,000 per month and $5,000 for lifetime access, offering continuous updates and support.
Buyers of the framework are given an admin panel hosted on a bulletproof VPS (virtual private server) from where they can control the framework’s malware and issue commands to compromised systems.
The first version of the Exfiltrator-22 (EX-22) appeared in the wild on November 27, 2022, and roughly ten days later, its authors set up a Telegram channel to advertise the framework to other cybercriminals.
By the end of the year, the threat actors announced new features that helped conceal traffic on compromised devices, indicating that the framework was under active development.
In January 2023, EX-22 was deemed 87% ready by its authors, and subscription prices were announced, inviting interested users to purchase access to the tool.
On February 10, 2023, the threat actors posted two demonstration videos on YouTube to showcase EX-22’s lateral movement and ransomware-spreading capabilities.
Exfiltrator-22 features
EX-22 includes features commonly found in other post-exploitation toolkits but also additional features geared towards deploying ransomware and data theft.
The highlight features included in the framework are:
- Establish a reverse shell with elevated privileges.
- Upload files to the breached system or download files from the host to the C2.
- Activate a keylogger to capture keyboard input.
- Activate a ransomware module to encrypt files on the infected device.
- Capture a screenshot from the victim’s computer.
- Start a live VNC (Virtual Network Computing) session for real-time access on the compromised device.
- Gain higher privileges on the infected device.
- Establish persistence between system reboots.
- Activate a worm module that spreads the malware to other devices on the same network or the public internet.
- Extract data (passwords and tokens) from the LSAAS (Local Security Authority Subsystem Service).
- Generate cryptographic hashes of files on the host to help closely monitor file locations and content change events.
- Fetch the list of running processes on the infected device.
- Extract authentication tokens from the breached system.
The above commands are sent to compromised devices through the Windows ‘EX22 Command & Control’ console program.
These commands’ outputs are then returned to the command and control server and displayed directly in the console application, as shown below.
Through the service’s web panel, cybercriminals can also set scheduled tasks, update agents to a new version, change a campaign’s configuration, or create new campaigns.
Linked to LockBit ransomware members
The CYFIRMA team has found evidence that LockBit 3.0 affiliates or members of the ransomware operation’s development team are behind EX-22.
First, they noticed that the framework uses the same “domain fronting” technique associated with the LockBit and the TOR obfuscation plugin Meek, which helps hide malicious traffic inside legitimate HTTPS connections to reputable platforms.
Upon further investigation, CYFIRMA has found that EX-22 also uses the same C2 infrastructure previously exposed in a LockBit 3.0 sample.
Unfortunately, Exfiltrator-22 appears to have been created by knowledgeable malware authors who possess the skills to develop an evasive framework.
Hence, it is expected to generate much interest in the cybercrime community despite its high price, naturally resulting in further code development and feature improvements.
