Threat actors are marketing a post-exploitation framework called “Exfiltrator-22” that is intended to propagate ransomware in corporate networks covertly. Threat researchers at CYFIRMA believe that this new framework was developed by former Lockbit 3.0 associates who are experienced in defense evasion and anti-analysis, providing a powerful post-exploitation solution in exchange for a monthly fee. Exfiltrator-22 costs $1,000 per month or $5,000 for lifetime usage, with updates and support available at all times. Customers who purchase the framework are given access to an admin panel hosted on a bulletproof VPS from which they can manage the malware employed by the framework and send commands to infected computers.
Threat actors revealed new capabilities at year’s end that assisted in hiding traffic on infected devices, showing that the framework was still being actively developed. EX-22’s creators assessed it to be 87% complete in January 2023, at which point subscription costs were made public and interested customers were invited to buy access to the program. The threat actors used two YouTube demonstration videos to highlight EX-22’s lateral movement and ransomware-spreading features on February 10, 2023. Current capabilities allow operators to:
- Establish a reverse shell with elevated privileges.
- Upload files to the breached system or download files from the host to the C2.
- Activate a keylogger to capture keyboard input.
- Activate a ransomware module to encrypt files on the infected device.
- Capture a screenshot from the victim’s computer.
- Start a live VNC (Virtual Network Computing) session for real-time access on the compromised device.
- Gain higher privileges on the infected device.
- Establish persistence between system reboots.
- Activate a worm module that spreads the malware to other devices on the same network or the public internet.
- Extract data (passwords and tokens) from the LSAAS (Local Security Authority Subsystem Service).
- Generate cryptographic hashes of files on the host to help closely monitor file locations and content change events.
- Fetch the list of running processes on the infected device.
- Extract authentication tokens from the breached system.
The CYFIRMA team has discovered evidence that EX-22 was created by LockBit 3.0 associates or members of the ransomware operation’s development staff. Firstly, they discovered that the framework used the same “domain fronting” method used by the LockBit and the TOR obfuscation plugin Meek, which assists in concealing malicious traffic inside normal HTTPS connections to legitimate platforms. Further research by CYFIRMA revealed that EX-22 makes use of the identical C2 infrastructure that was previously disclosed in a LockBit 3.0 sample. Unfortunately, Exfiltrator-22 seems to have been written by experienced malware developers who are able to build an evasive framework. Because of this, despite its expensive cost, it is anticipated to spark a lot of interest in the cybercrime community, which will ultimately lead to additional code development and feature enhancements.