The New Post-Exploitation framework- Exfiltrator-22

In December 2022, an anonymous threat actor started advertising the new tool even before the tool’s completion and availability via a new telegram channel (EXFILTRATOR-22 [EX-22]). They claim that the tool is fully undetectable (FUD) by any antivirus or endpoint detection system (EDR).

In this article, we will walk you through what is the new post-exploitation framework, Exfiltrator-22, and is Exfiltrator-22 related to Lock bit 3.0.

What Is a Post-Exploitation Framework?

Post-exploitation refers to any action done by an attacker after they have successfully exploited the target. Both attackers and pen testers use the post-exploitation framework for lateral movement, privilege escalation, CnC, and many more without disturbing the user. One of the famous post-exploitation tools is Metasploit which is free and open-source.

The post-exploitation attack framework will directly inject a malicious payload into the infected endpoint so the attacker can access it whenever they want to, which will help them understand what further action needs to be taken (to escalate or not). These frameworks successfully establish a connection with the target using Command-and-Control Server to maintain communication with compromised machines post-exploitation.

What Is the New Post-Exploitation Framework Exfiltrator-22?

A research group CYFIRMA released a primary analysis of the framework known as Exfiltrator-22 or EX-22. As per the initial observation by the team, it is suspected that the threat actor behind creating and operating this malware is from North, East, or South-East Asia.

In late 2022, the attackers started advertising the tool EX-22 via a telegram channel. Later in January 2023, the threat actor announced that Exfiltrator-22 is ready to use and will be available as a subscription model. 1000$ per year or 5000$ for lifetime access. In February 2023, the threat actor demonstrated features of the tool EX-22 on YouTube via a channel named ‘@DWORKWITH_EXFILTRATOR-22.’ It is still unclear If they have released the fully working version.

Exfiltrator-22- Technical Details

As per cyfirma, the main target of EX-22 is x64 architecture, and the tool is hosted on a bulletproof virtual private server (VPS). Bulletproof hosting lets an attacker bypass the laws and regulations of that country of operation that might otherwise shut down malicious activities.

EX-22 let users have access to an administration panel that allows them to control malware and the tasks associated with it remotely. EX-22 claims that they are fully undetectable to any antivirus solutions or endpoint detection and response systems (EDR), so as per the finding in Feb 2023, even though the claim is not completely true the detection rate is 5/70 on online sandboxes, even after multiple dynamic scans. This shows that the treat actor is very skilled in defense evasion techniques.

Exfiltrator-22- Features

EX-22 is designed to spread ransomware in corporate networks without being detected, and it has rich features making it quite simple for anyone who purchases it.

Some of the key findings of EX-22 are:

Diamond model for EX-22 (Source: Cyfirma)

How Is Exfiltrator-22 Related to Lock Bit 3.0?

Exfiltrator-22 has many similarities to Lockbit 3.0. The tactics, techniques, and procedures (TTP) of EX-22 are shared with the TTPs of Lockbit 3.0. Both Ex-22 and Lockbit malware uses domain-fronting techniques. It also has the same infrastructure for hiding the command-and-control traffic that is associated with the IP 23.216.147[.]76.

Attack Vectors and MITRE ATT&CK Identifiers

The attack vectors used in the post-exploitation framework Exfiltrator-22 is:

MITRE ATT&CK Enterprise Identifiers