Threat Deep Dive: Exfiltrator-22 Post-Exploitation Tool

Summary

A group of cyber criminals are advertising a new, fully undetectable, post-exploitation tool, Exfiltrator-22 (EX-22), on underground forums. This framework was designed to spread ransomware through corporate networks while evading detection. It’s marketed via a framework-as-a-service model, offering affiliates the opportunity to purchase per month or lifetime access to the tool. Some evidence suggests EX-22 may have links to ex-affiliates or members of LockBit, however the ransomware group denies any connection to the tool.

Development Timeline

EX-22 was first seen in the wild in late November 2022, and by early December a Telegram channel was established to aggressively market the tool. Development likely continued throughout December with the creators announcing new features to include traffic concealment on compromised devices. In January 2023, the creators announced EX-22 was 87% ready and revealed the subscription-based payment model for the tool: $1,000 per month, or $5,000 for lifetime access with continuous updates and support. Additionally, the creators posted two demonstration videos to their YouTube channel showcasing EX-22’s lateral movement and ransomware-spreading capabilities in February 2023.

Features:

EX-22 exhibits many features commonly found in other post-exploitation toolkits, however unlike other tools, it has additional features dedicated to deploying ransomware. Some highlights include:

Establish a reverse shell with elevated privileges.
Upload files to the breached system or download files from the host to the C2.
Activate a keylogger to capture keyboard input.
Activate a ransomware module to encrypt files on the infected device.

Capture a screenshot from the victim’s computer.
Start a live VNC (Virtual Network Computing) session for real-time access on the compromised device.
Gain higher privileges on the infected device.
Establish persistence between system reboots.
Activate a worm module that spreads the malware to other devices on the same network or the public internet.

Extract data (passwords and tokens) from the LSASS (Local Security Authority Subsystem Service).
Generate cryptographic hashes of files on the host to help closely monitor file locations and content change events.
Fetch the list of running processes on the infected device.
Extract authentication tokens from the breached system.

When an affiliate subscribes to the tool, they are given an admin panel hosted on a bulletproof virtual private server where they can control the framework and issue commands to compromised systems. It’s clear the threat actors behind EX-22 are skilled at anti-analysis and defense evasion techniques with the framework touting only 5/70 detections on online sandboxes as of mid-February.

Attribution

Threat experts at Cyfirma, a cybersecurity company, revealed that samples of LockBit 3.0 and EX-22 use the same C2 infrastructure, and both use the TOR (The Onion Routing project) obfuscation plugin Meek and domain fronting to hide malicious traffic inside legitimate HTTPS connections to reputable platforms. Despite these similarities, LockBit ransomware gang made a post on their leak site denying any links to the tool, claiming that EX-22 is a PR stunt by some newbies.

Conclusion

It’s evident the creators of EX-22 are sophisticated threat actors who will likely continue to enhance the tool. Even with its high price point, EX-22 will likely generate high levels of interest throughout the cybercriminal community due it its current low detection rate. Implementing multi-layered security with real-time detection and prevention abilities will be imperative to stay protected.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: