In December 2022, an anonymous threat actor started advertising the new tool even before the tool’s completion and availability via a new telegram channel (EXFILTRATOR-22 [EX-22]). They claim that the tool is fully undetectable (FUD) by any antivirus or endpoint detection system (EDR).
In this article, we will walk you through what is the new post-exploitation framework, Exfiltrator-22, and is Exfiltrator-22 related to Lock bit 3.0.
What Is a Post-Exploitation Framework?
Post-exploitation refers to any action done by an attacker after they have successfully exploited the target. Both attackers and pen testers use the post-exploitation framework for lateral movement, privilege escalation, CnC, and many more without disturbing the user. One of the famous post-exploitation tools is Metasploit which is free and open-source.
The post-exploitation attack framework will directly inject a malicious payload into the infected endpoint so the attacker can access it whenever they want to, which will help them understand what further action needs to be taken (to escalate or not). These frameworks successfully establish a connection with the target using Command-and-Control Server to maintain communication with compromised machines post-exploitation.
What Is the New Post-Exploitation Framework Exfiltrator-22?
A research group CYFIRMA released a primary analysis of the framework known as Exfiltrator-22 or EX-22. As per the initial observation by the team, it is suspected that the threat actor behind creating and operating this malware is from North, East, or South-East Asia.
In late 2022, the attackers started advertising the tool EX-22 via a telegram channel. Later in January 2023, the threat actor announced that Exfiltrator-22 is ready to use and will be available as a subscription model. 1000$ per year or 5000$ for lifetime access. In February 2023, the threat actor demonstrated features of the tool EX-22 on YouTube via a channel named ‘@DWORKWITH_EXFILTRATOR-22.’ It is still unclear If they have released the fully working version.
Exfiltrator-22- Technical Details
As per cyfirma, the main target of EX-22 is x64 architecture, and the tool is hosted on a bulletproof virtual private server (VPS). Bulletproof hosting lets an attacker bypass the laws and regulations of that country of operation that might otherwise shut down malicious activities.
EX-22 let users have access to an administration panel that allows them to control malware and the tasks associated with it remotely. EX-22 claims that they are fully undetectable to any antivirus solutions or endpoint detection and response systems (EDR), so as per the finding in Feb 2023, even though the claim is not completely true the detection rate is 5/70 on online sandboxes, even after multiple dynamic scans. This shows that the treat actor is very skilled in defense evasion techniques.
Exfiltrator-22- Features
EX-22 is designed to spread ransomware in corporate networks without being detected, and it has rich features making it quite simple for anyone who purchases it.
Some of the key findings of EX-22 are:
- Elevated Reverse shell
- Downloading and uploading files from compromised machines to remote servers
- Keylogger
- Screenshot
- Ransomware
- Persistence and privilege elevation
- Extraction of sensitive information using LSASS dump
- Hashing
- Steal tokens
How Is Exfiltrator-22 Related to Lock Bit 3.0?
Exfiltrator-22 has many similarities to Lockbit 3.0. The tactics, techniques, and procedures (TTP) of EX-22 are shared with the TTPs of Lockbit 3.0. Both Ex-22 and Lockbit malware uses domain-fronting techniques. It also has the same infrastructure for hiding the command-and-control traffic that is associated with the IP 23.216.147[.]76.
Attack Vectors and MITRE ATT&CK Identifiers
The attack vectors used in the post-exploitation framework Exfiltrator-22 is:
MITRE ATT&CK Enterprise Identifiers
- T1027 (Obfuscated Files or Information)
- T1055 (Process Injection)
- T1055.003 (Thread Execution Hijacking)
- T1056.001 (Keylogging)
- T1057 (Process Discovery)
- T1082 (System Information Discovery)
- T1083 (File and Directory Discovery)
- T1112 (Modify Registry)
- T1113 (Screen Capture)
- T1129 (Shared Modules)
- T1134 (Access Token Manipulation)
- T1486 (Data Encrypted for Impact)
- T1497 (Virtualization/Sandbox Evasion)
- T1497.002 (User Activity Based Checks)
- T1547.001 (Registry Run Keys / Startup Folder)
- T1620 (Reflective Code Loading)
IOC
| No | Tactics | Technique ID |
| 1 | 874726830ae6329d3460767970a2f805 | md5 |
| 2 | eca49c8962c55bfb11d4dc612b275daa85cfe8c3 | sha1 |
| 3 | 32746688a23543e674ce6dcf03256d99988a269311bf3a8f0f944016fe3a931d | sha256 |
| 4 | Worm[.]exe | filename |
| 5 | Worm24[.]exe | filename |
| 6 | 23.216.147[.]76 | IPv4 |
| 7 | 20.99.184[.]37 | IPv4 |
Conclusion
In recent years we have seen an upward trend in cybercriminals using malware as a service (MaaS) to execute their threat campaigns. From the features and characteristics of EX-22, it can be concluded that the attackers behind this are highly sophisticated, which will increase the spreading of further cyber-attacks. EX-22 will become a tool that attackers go for when they don’t want to follow traditional tools, which can be detected easily.