The alleged former members of the LockBit ransomware group have developed a new post-exploitation tool dubbed Exfiltrator-22. Threat actors specially craft the Exfiltrator-22 or EX-22 by taking ideas from the leaked source code of other post-exploitation tools.
Researchers stated that the new post-exploitation kit functions as a framework-as-a-service model and distributes ransomware in corporate networks while bypassing security solutions.
The Exfiltrator-22 first emerged in the cybercriminal landscape last year.
According to investigations, threat analysts first discovered the Exfiltrator-22 in the cybercriminal community in November last year. Subsequently, the developers aggressively endorsed their new tool by setting up a Telegram channel to advertise the product that could reach numerous customers.
The following month, the malware developers revealed a new feature within the tool that offers traffic concealment on infected devices. This detail from December last year implied that the post-exploitation tool is still developing.
The subscriber of EX-22 has an admin login panel to access the post-exploitation tool’s server. Moreover, a bulletproof VPS hosts the server.
EX-22 provides its subscribers numerous capabilities, such as establishing a reverse shell with elevated privileges, downloading files from the host to the command-and-control server, uploading files to the compromised system, and running a keylogger.
Furthermore, the tool could capture screenshots, initiate a live VNC session for real-time access on the infected device, acquire higher privileges, extract data from the LSASS and authentication tokens, and establish persistence between system restarts.
It could also generate cryptographic hashes of archives on the host to closely observe file locations and content change events and retrieve the list of operating processes.
Lastly, the users of the EX-22 could update agents to the latest version, alter a campaign’s configuration, set scheduled tasks, or develop new campaigns. The alleged LockBit-affiliated developers claimed that their new post-exploitation tool is undetectable by every AV and EDR solution.
Cybersecurity experts claimed that the Exfiltrator-22 is the product of highly sophisticated threat actors with numerous experiences creating malicious tools. Therefore, users should adopt multi-layered security with real-time detection and prevention abilities to protect against this new threat.
