A brand new post-exploitation framework referred to as EXFILTRATOR-22 (aka EX-22) has emerged within the wild with the objective of deploying ransomware inside enterprise networks whereas flying beneath the radar.
“It comes with a variety of capabilities, making post-exploitation a cakewalk for anybody buying the instrument,” CYFIRMA stated in a brand new report.
Some of the notable options embrace establishing a reverse shell with elevated privileges, importing and downloading information, logging keystrokes, launching ransomware to encrypt information, and beginning a dwell VNC (Virtual Network Computing) session for real-time entry.
It’s additionally outfitted to persist after system reboots, carry out lateral motion through a worm, view working processes, generate cryptographic hashes of information, and extract authentication tokens.
The cybersecurity agency assessed with reasonable confidence that risk actors liable for creating the malware are working from North, East, or Southeast Asia and are seemingly former associates of the LockBit ransomware.
Advertised as a totally undetectable malware on Telegram and YouTube, EX-22 is obtainable for $1,000 a month or $5,000 for lifetime entry. Criminal actors buying the toolkit are offered a login panel to entry the EX-22 server and remotely management the malware.
Since its first look on November 27, 2022, the malware authors have constantly iterated the toolkit with new options, indicating lively improvement work.
The connections to LockBit 3.0 come up from technical and infrastructure overlaps, with each malware households using the identical area fronting mechanism for hiding command-and-control (C2) site visitors.
Is Your Business Prepared for the Top SaaS 🛡️ Security Challenges of 2023? Learn How to Tackle Them – Join Our Webinar Now!
The post-exploitation-framework-as-a-service (PEFaaS) mannequin is the most recent instrument out there for adversaries trying to preserve covert entry to compromised units over an prolonged time frame.
It additionally joins different frameworks like Manjusaka and Alchimist in addition to professional and open supply alternate options resembling Cobalt Strike, Metasploit, Sliver, Empire, Brute Ratel, and Havoc which were co-opted for malicious ends.