According to Cyfirma, a cybersecurity company, a new post-exploitation framework being offered as a service is believed to be run by former affiliates of the LockBit ransomware.
Dubbed Exfiltrator-22, or EX-22, the tool was created using the leaked source code of other post-exploitation frameworks, and uses the same command-and-control (C&C) infrastructure as LockBit 3.0. The malicious tool appears to have been created by skilled developers with knowledge of anti-analysis and defense evasion techniques, who are employing an aggressive marketing strategy and offering the malware at a subscription-based payment model. Customers are provided with access to a login panel for the Ex22 server, which is hosted on a bulletproof virtual private server.
Exfiltrator-22’s capabilities include an elevated reverse shell, file download and upload, keylogger, file encryption (ransomware), live connection to the infected device, elevation of privilege, persistence, lateral movement, LSASS credential dumping, hashing, viewing a list of running processes, and exfiltration of authentication tokens. The malware can bypass User Access Control (UAC), can create scheduled tasks, and allows attackers to check group memberships for the existing user and to select the payload to be executed on the target machine.
The threat actor likely completed the framework’s development in November 2022 and started advertising it on a newly created Telegram channel in early December. Cyfirma has discovered that the malware developers abuse Akamai’s content delivery network (CDN) to host Exfiltrator-22’s C&C infrastructure and believes that they likely employ an obfuscation plugin for Tor and domain fronting to hide Tor traffic in legitimate HTTPS connections.
Cyfirma also found that the framework uses the same domain fronting technique and C&C infrastructure as a LockBit 3.0 sample. “It can be concluded with high confidence that the threat actors who created EX-22 are highly sophisticated threat actors that are likely to continue to increase the evasiveness of the malware,” Cyfirma concludes.
In conclusion, Exfiltrator-22 is a powerful post-exploitation framework that is operated by former affiliates of the LockBit ransomware. The malicious tool has a range of capabilities, including file download and upload, file encryption, and credential dumping, and has been advertised using an aggressive marketing strategy. The malware developers are likely using obfuscation techniques and domain fronting to hide their activities, and the framework is likely to become more evasive as the threat actors continue to expand its capabilities.
Key Points:
- Exfiltrator-22 is a powerful post-exploitation framework operated by former affiliates of the LockBit ransomware.
- The tool has a range of capabilities, including file download and upload, file encryption, and credential dumping.
- The malware developers are likely using obfuscation techniques and domain fronting to hide their activities.
- The framework is likely to become more evasive as the threat actors continue to expand its capabilities.