BTC $66491.5139
ETH $3184.3983
BNB $601.6419
SOL $155.6108
stETH $3185.1637
XRP $0.5495
DOGE $0.1586
TON $5.8776
ADA $0.5099
AVAX $38.8942
wstETH $3708.0998
WBTC $66518.7062
DOT $7.3764
WETH $3184.7962
TRX $0.1114
BCH $512.3077
LINK $15.4337
MATIC $0.7334
UNI $8.1252
ICP $14.9003
LTC $84.7276
DAI $0.9990
CAKE $2.9972
RNDR $9.1863
IMX $2.3935
STX $3.0458
NEAR $6.9983
ETC $28.0765
FDUSD $1.0009
MNT $1.2093
FIL $6.5339
TAO $511.7762
OKB $54.7486
HBAR $0.0893
VET $0.0421
KAS $0.1250
ATOM $8.8532
GRT $0.3029
PEPE $0.0000
WIF $2.8536
FET $2.4350
MKR $2854.7795
INJ $28.3839
THETA $2.3975
USDE $0.9992
XLM $0.1167
CORE $2.5851
BTC $66491.5139
ETH $3184.3983
BNB $601.6419
SOL $155.6108
stETH $3185.1637
XRP $0.5495
DOGE $0.1586
TON $5.8776
ADA $0.5099
AVAX $38.8942
wstETH $3708.0998
WBTC $66518.7062
DOT $7.3764
WETH $3184.7962
TRX $0.1114
BCH $512.3077
LINK $15.4337
MATIC $0.7334
UNI $8.1252
ICP $14.9003
LTC $84.7276
DAI $0.9990
CAKE $2.9972
RNDR $9.1863
IMX $2.3935
STX $3.0458
NEAR $6.9983
ETC $28.0765
FDUSD $1.0009
MNT $1.2093
FIL $6.5339
TAO $511.7762
OKB $54.7486
HBAR $0.0893
VET $0.0421
KAS $0.1250
ATOM $8.8532
GRT $0.3029
PEPE $0.0000
WIF $2.8536
FET $2.4350
MKR $2854.7795
INJ $28.3839
THETA $2.3975
USDE $0.9992
XLM $0.1167
CORE $2.5851
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • New framework for post-exploitation Exfiltrator-22 from the creators of LockBit

    Security company CYFIRMA said that unknown hackers are promoting a new framework called "Exfiltrator-22" designed to spread ransomware on corporate networks and evade detection.

    The researchers claim that Exfiltrator-22 was created by former Lockbit 3.0 affiliates who are experts in anti-analysis and defense evasion, offering a robust solution for a monthly fee.

    Prices for the Exfiltrator-22 range from $1,000 per month to $5,000 for a lifetime license, offering ongoing updates and support. Buyers of the framework are provided with an admin panel hosted on a bulletproof VPS server (Bulletproof VPS, Bulletproof hosting), from where they can manage the framework's malware and issue commands to hacked systems.

    By the end of 2022, operators in their Telegram channel announced new features that helped hide traffic on hacked devices, which indicated the active development of the framework. On February 10, 2023, cybercriminals posted two videos on YouTube demonstrating the EX22's capabilities - lateral movement and ransomware distribution.

    EX22 includes features commonly found in other post-exploitation toolkits, as well as additional features aimed at deploying ransomware and stealing data. The main features included in the framework are:

    • Create an elevated reverse shell;
    • Uploading files to a compromised system or exfiltrating files to a C2 server;
    • Activation of a keylogger to intercept data input from the keyboard;
    • Activation of the ransomware module to encrypt files on the infected device;
    • Taking a screenshot from the victim's computer;
    • Launching a VNC (Virtual Network Computing) session to access the device in real time;
    • Obtaining elevated privileges;
    • Establish stability between system reboots;
    • Activation of a worm module that spreads malware to other devices on the same network or on the Internet;
    • Extracting passwords and tokens from LSAAS (Local Security Authority Subsystem Service);
    • Generating cryptographic hashes of files on the host to closely track file locations and content change events;
    • Obtaining a list of running processes on an infected device;
    • Retrieve authentication tokens.

    The above commands are sent to infected devices via the Windows console application "EX22 Command & Control".

    The output of these commands is returned to the C2 server and displayed directly in the console application. Through the service's web panel, attackers can also set scheduled tasks, update agents to a new version, change campaign configuration, or create new campaigns.

    The CYFIRMA team found evidence that LockBit 3.0 affiliates are behind EX22 in several details:

    • The framework uses the same “domain fronting” technique as LockBit and the TOR Meek obfuscation plugin, which helps to hide malicious traffic inside legitimate HTTPS connections with authoritative platforms;
    • EX22 also uses the same C2 infrastructure as LockBit 3.0.

    Experts noted that Exfiltrator-22 was created by highly qualified malware developers with the skills to develop an evasive structure. Therefore, it is expected that, despite the high price, Exfiltrator-22 will generate a lot of interest in the cybercriminal community, which will lead to further development of the code and improvement of functions.

    Author DeepWeb
    Parallax RAT attacks cryptocurrency companies with sophisticated malware injection techniques
    New GoBruteforcer Botnet Targets phpMyAdmin, MySQL, FTP, Postgres Applications

    Comments 0

    Add comment