• Home
  • |
  • Blog
  • |
  • The New Post-Exploitation framework- Exfiltrator-22
The New Post-Exploitation framework- Exfiltrator-22

In December 2022, an anonymous threat actor started advertising the new tool even before the tool’s completion and availability via a new telegram channel (EXFILTRATOR-22 [EX-22]). They claim that the tool is fully undetectable (FUD) by any antivirus or endpoint detection system (EDR).

In this article, we will walk you through what is the new post-exploitation framework, Exfiltrator-22, and is Exfiltrator-22 related to Lock bit 3.0.

What Is a Post-Exploitation Framework?

Post-exploitation refers to any action done by an attacker after they have successfully exploited the target. Both attackers and pen testers use the post-exploitation framework for lateral movement, privilege escalation, CnC, and many more without disturbing the user. One of the famous post-exploitation tools is Metasploit which is free and open-source.

The post-exploitation attack framework will directly inject a malicious payload into the infected endpoint so the attacker can access it whenever they want to, which will help them understand what further action needs to be taken (to escalate or not). These frameworks successfully establish a connection with the target using Command-and-Control Server to maintain communication with compromised machines post-exploitation.

What Is the New Post-Exploitation Framework Exfiltrator-22?

A research group CYFIRMA released a primary analysis of the framework known as Exfiltrator-22 or EX-22. As per the initial observation by the team, it is suspected that the threat actor behind creating and operating this malware is from North, East, or South-East Asia.

In late 2022, the attackers started advertising the tool EX-22 via a telegram channel. Later in January 2023, the threat actor announced that Exfiltrator-22 is ready to use and will be available as a subscription model. 1000$ per year or 5000$ for lifetime access. In February 2023, the threat actor demonstrated features of the tool EX-22 on YouTube via a channel named ‘@DWORKWITH_EXFILTRATOR-22.’ It is still unclear If they have released the fully working version.

Exfiltrator-22- Technical Details

As per cyfirma, the main target of EX-22 is x64 architecture, and the tool is hosted on a bulletproof virtual private server (VPS). Bulletproof hosting lets an attacker bypass the laws and regulations of that country of operation that might otherwise shut down malicious activities.

EX-22 let users have access to an administration panel that allows them to control malware and the tasks associated with it remotely. EX-22 claims that they are fully undetectable to any antivirus solutions or endpoint detection and response systems (EDR), so as per the finding in Feb 2023, even though the claim is not completely true the detection rate is 5/70 on online sandboxes, even after multiple dynamic scans. This shows that the treat actor is very skilled in defense evasion techniques.

Exfiltrator-22- Features

EX-22 is designed to spread ransomware in corporate networks without being detected, and it has rich features making it quite simple for anyone who purchases it.

Some of the key findings of EX-22 are:

  • Elevated Reverse shell
  • Downloading and uploading files from compromised machines to remote servers
  • Keylogger
  • Screenshot
  • Ransomware
  • Persistence and privilege elevation
  • Extraction of sensitive information using LSASS dump
  • Hashing
  • Steal tokens
See Also  New Apple's 0-Day Vulnerability - Update Your Apple Products Immediately
Diamond model for Exfiltrator-22
Diamond model for EX-22 (Source: Cyfirma)

Exfiltrator-22 has many similarities to Lockbit 3.0. The tactics, techniques, and procedures (TTP) of EX-22 are shared with the TTPs of Lockbit 3.0. Both Ex-22 and Lockbit malware uses domain-fronting techniques. It also has the same infrastructure for hiding the command-and-control traffic that is associated with the IP 23.216.147[.]76.

Attack Vectors and MITRE ATT&CK Identifiers

The attack vectors used in the post-exploitation framework Exfiltrator-22 is:

MITRE ATT&CK Enterprise Identifiers

  • T1027 (Obfuscated Files or Information)
  • T1055 (Process Injection)
  • T1055.003 (Thread Execution Hijacking)
  • T1056.001 (Keylogging)
  • T1057 (Process Discovery)
  • T1082 (System Information Discovery)
  • T1083 (File and Directory Discovery)
  • T1112 (Modify Registry)
  • T1113 (Screen Capture)
  • T1129 (Shared Modules)
  • T1134 (Access Token Manipulation)
  • T1486 (Data Encrypted for Impact)
  • T1497 (Virtualization/Sandbox Evasion)
  • T1497.002 (User Activity Based Checks)
  • T1547.001 (Registry Run Keys / Startup Folder)
  • T1620 (Reflective Code Loading)

IOC

NoTacticsTechnique ID
1874726830ae6329d3460767970a2f805md5
2eca49c8962c55bfb11d4dc612b275daa85cfe8c3sha1
332746688a23543e674ce6dcf03256d99988a269311bf3a8f0f944016fe3a931dsha256
4Worm[.]exefilename
5Worm24[.]exefilename
623.216.147[.]76IPv4
720.99.184[.]37IPv4

Conclusion

In recent years we have seen an upward trend in cybercriminals using malware as a service (MaaS) to execute their threat campaigns. From the features and characteristics of EX-22, it can be concluded that the attackers behind this are highly sophisticated, which will increase the spreading of further cyber-attacks. EX-22 will become a tool that attackers go for when they don’t want to follow traditional tools, which can be detected easily.

I hope this article helped in understanding more about what is the new post-exploitation framework Exfiltrator 22 is and Exfiltrator 22 related to Lock bit 3.0.Please share this post and help secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr,  Medium & Instagram, and subscribe to receive updates like this. 

Read More:

About the author

Aroma Rose Reji

Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.