New Feature-Rich Post-Exploitation Tool 'Exfiltrator-22' Linked With LockBit

Evolution of Exfiltrator-22

• The first variant appeared in the wild on or before November 27, 2022, and roughly 10 days later, a Telegram channel was set up to advertise the framework with an aggressive marketing strategy.
• In December 2022, the threat actors announced a new feature that offers traffic concealment on compromised devices, indicating that it was under active development.
• This year in January, its creators announced that EX-22 is 87% ready for use, and is available for a subscription for $1,000 per month and $5,000 for lifetime access with continuous updates and support.
• In February, the threat actors posted two demonstration videos on their YouTube channel to showcase EX-22’s lateral movement and ransomware-spreading capabilities.

Spreading ransomware and evading detection

• The tool can be used to establish a reverse shell with elevated privileges, upload files to the breached system, download files from the host to the C2, and activate a keylogger, a ransomware module, or a worm module on the infected device.
• It can capture screenshots, start a live VNC session for real-time access on the compromised device, gain higher privileges, establish persistence between system reboots, and extract data from the LSASS and authentication tokens.
• It can generate cryptographic hashes of files on the host to help closely monitor file locations and content change events and fetch the list of running processes.
• Additionally, attackers can set scheduled tasks, update agents to a new version, change a campaign's configuration, or create new campaigns.

Malware attribution

• EX-22 and LockBit 3.0 both use the TOR obfuscation plugin Meek and domain fronting to hide malicious traffic inside legitimate HTTPS connections to reputable platforms.
• Both use the same network infrastructure for concealing C2 traffic.

Conclusion