A brand new post-exploitation framework referred to as EXFILTRATOR-22 (aka EX-22) has emerged within the wild with the objective of deploying ransomware inside enterprise networks whereas flying underneath the radar.
“It comes with a variety of capabilities, making post-exploitation a cakewalk for anybody buying the device,” CYFIRMA stated in a brand new report.
A number of the notable options embody establishing a reverse shell with elevated privileges, importing and downloading recordsdata, logging keystrokes, launching ransomware to encrypt recordsdata, and beginning a reside VNC (Digital Community Computing) session for real-time entry.
It is also geared up to persist after system reboots, carry out lateral motion through a worm, view operating processes, generate cryptographic hashes of recordsdata, and extract authentication tokens.
The cybersecurity agency assessed with reasonable confidence that menace actors answerable for creating the malware are working from North, East, or Southeast Asia and are possible former associates of the LockBit ransomware.
Marketed as a completely undetectable malware on Telegram and YouTube, EX-22 is obtainable for $1,000 a month or $5,000 for lifetime entry. Felony actors buying the toolkit are offered a login panel to entry the EX-22 server and remotely management the malware.
Since its first look on November 27, 2022, the malware authors have constantly iterated the toolkit with new options, indicating lively improvement work.
The connections to LockBit 3.0 come up from technical and infrastructure overlaps, with each malware households using the identical area fronting mechanism for hiding command-and-control (C2) visitors.
The post-exploitation-framework-as-a-service (PEFaaS) mannequin is the most recent device accessible for adversaries seeking to keep covert entry to compromised units over an prolonged time period.
It additionally joins different frameworks like Manjusaka and Alchimist in addition to respectable and open supply options corresponding to Cobalt Strike, Metasploit, Sliver, Empire, Brute Ratel, and Havoc which were co-opted for malicious ends.