Security company CYFIRMA said that unknown hackers are promoting a new framework called "Exfiltrator-22" designed to spread ransomware on corporate networks and evade detection.
The researchers claim that Exfiltrator-22 was created by former Lockbit 3.0 affiliates who are experts in anti-analysis and defense evasion, offering a robust solution for a monthly fee.
Prices for the Exfiltrator-22 range from $1,000 per month to $5,000 for a lifetime license, offering ongoing updates and support. Buyers of the framework are provided with an admin panel hosted on a bulletproof VPS server (Bulletproof VPS, Bulletproof hosting), from where they can manage the framework's malware and issue commands to hacked systems.
By the end of 2022, operators in their Telegram channel announced new features that helped hide traffic on hacked devices, which indicated the active development of the framework. On February 10, 2023, cybercriminals posted two videos on YouTube demonstrating the EX22's capabilities - lateral movement and ransomware distribution.
EX22 includes features commonly found in other post-exploitation toolkits, as well as additional features aimed at deploying ransomware and stealing data. The main features included in the framework are:
- Create an elevated reverse shell;
- Uploading files to a compromised system or exfiltrating files to a C2 server;
- Activation of a keylogger to intercept data input from the keyboard;
- Activation of the ransomware module to encrypt files on the infected device;
- Taking a screenshot from the victim's computer;
- Launching a VNC (Virtual Network Computing) session to access the device in real time;
- Obtaining elevated privileges;
- Establish stability between system reboots;
- Activation of a worm module that spreads malware to other devices on the same network or on the Internet;
- Extracting passwords and tokens from LSAAS (Local Security Authority Subsystem Service);
- Generating cryptographic hashes of files on the host to closely track file locations and content change events;
- Obtaining a list of running processes on an infected device;
- Retrieve authentication tokens.
The above commands are sent to infected devices via the Windows console application "EX22 Command & Control".
The output of these commands is returned to the C2 server and displayed directly in the console application. Through the service's web panel, attackers can also set scheduled tasks, update agents to a new version, change campaign configuration, or create new campaigns.
The CYFIRMA team found evidence that LockBit 3.0 affiliates are behind EX22 in several details:
- The framework uses the same “domain fronting” technique as LockBit and the TOR Meek obfuscation plugin, which helps to hide malicious traffic inside legitimate HTTPS connections with authoritative platforms;
- EX22 also uses the same C2 infrastructure as LockBit 3.0.
Experts noted that Exfiltrator-22 was created by highly qualified malware developers with the skills to develop an evasive structure. Therefore, it is expected that, despite the high price, Exfiltrator-22 will generate a lot of interest in the cybercriminal community, which will lead to further development of the code and improvement of functions.