The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Exfiltrator-22 Framework

Mar 21, 2023 2:09:02 PM / by The Hivemind

EXFILTRATORRelated Families: LockBit, LockBit 3.0
Verticals Targeted: Multiple 

Executive Summary

CYFIRMA recently reported on Exfiltrator-22, also known as EX-22, a new post-exploitation framework capable of spreading ransomware while evading detection.

Key Takeaways

  • Exfiltrator-22, also known as EX-22, is a new post-exploitation framework capable of spreading ransomware while evading detection. 
  • Exfiltrator-22, which is a framework-as-a-service, is designed to primarily target corporate networks.
  • Analysts at CYFIRMA have linked Exfiltrator-22 to former LockBit 3.0 affiliates.

What is Exfiltrator-22?

CYFIRMA recently reported on Exfiltrator-22, also known as EX-22, a new post-exploitation framework capable of spreading ransomware while evading detection. Exfiltrator-22, which is a framework-as-a-service, is designed to primarily target corporate networks. It was first seen in the wild in late 2022. Thus far, most of the threat actors using Exfiltrator-22 seem to be operating from China, Taiwan, Hong Kong, Malaysia, Singapore, and the Philippines.

Exfiltrator-22 includes the following features:

  • Establishing a reverse shell with elevated privileges
  • Uploading and downloading of files to and from the host and C2
  • Keylogging
  • A ransomware module
  • Screenshotting
  • Live VNC session
  • Privilege escalation
  • Maintaining persistence on reboot
  • A worm module for lateral movement 
  • Data extraction from the LSAAS
  • Generating cryptographic file hashes to monitor file locations and content changes
  • Fetching a list of running processes on the victim machine
  • Extracting authentication tokens

Exfiltrator-22 is for sale for $1000 USD per month or $5000 USD for lifetime access, including updates and support. The individuals buying the framework are given an admin panel with bulletproof hosting, allowing them to interact with the malware and with victim machines.

Analysts at CYFIRMA have linked Exfiltrator-22 to former LockBit 3.0 affiliates. They noted the same domain fronting technique used with LockBit and use of the same C2 infrastructure as LockBit 3.0. The framework’s complexity and evasiveness point to programmers who are skilled in anti-analysis and defense evasion techniques.

IOCs

PolySwarm has a sample of Exfiltrator-22.

32746688a23543e674ce6dcf03256d99988a269311bf3a8f0f944016fe3a931d

You can use the following CLI command to search for all Exfiltrator-22 samples in our portal:

$ polyswarm link list -f Exfiltrator-22


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, LockBit, Lockbit 3.0, Exfiltrator-22, EX-22, framework

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts