Stealthy EX-22 post-exploitation tool linked to LockBit ransomware

Promoted as fully undetectable malware on YouTube and Telegram, the price for EXFILTRATE-22 ranges from $1,000 for a monthly subscription to $5,000 for lifetime access. (Image credit: tupungato via Getty Images)

A new stealthy post-exploitation framework in the wild aims to deploy ransomware in enterprise networks while evading detection. 

Dubbed EXFILTRATE-22 or EX-22, the framework was built using the leaked source code of other post-exploitation frameworks with the same command-and-control infrastructure and "domain fronting" technique as LockBit 3.0, according to Singapore-based security firm CYFIRMA.  

The CYFIRMA research team claims that the threat actors behind it are likely former LockBit affiliates, ones with a thorough understanding of defense evasion and anti-analysis techniques.  

"The threat actors are willing to build their own affiliate program and are coming out with an aggressive marketing strategy — claiming to be [fully undetectable] by every Antivirus and EDR vendor," CYFIRMA noted in a blog post.  

Promoted as fully undetectable malware on YouTube and Telegram, the price for EXFILTRATE-22 ranges from $1,000 for a monthly subscription to $5,000 for lifetime access. The buyer will also receive a login panel to access the EXFILTRATE-22 server, which allows threat actors to remotely control the malware.  

"By keeping their operations centralized on a remote server, [the threat actors] can make it more difficult for security researchers to analyze and identify the source of the malware," CYFIRMA said.  

Some of the more notable capabilities of EXFILTRATE-22 include establishing an elevated reverse-shell, uploading and downloading files, logging keystrokes on aninfected device, and (of course) deploying ransomware to encrypt files.  

The framework can also bypass User Access Control, create scheduled tasks with a single command, and allow attackers to check group memberships for existing users to determine if privilege escalation is needed. 

"It can be concluded with high confidence that the threat actors who created EX-22 are highly sophisticated threat actors that are likely to continue to increase the evasiveness of the malware. With continuous improvements and support, EX-22 becomes a go-to alternative for any threat actors planning to purchase tools for the post-exploitation phase but do not want to go with the traditional tools due to high detection rates," CYFIRMA said.  

Given that the LockBit 3.0 ransomware builder was leaked in September last year, Nic Finn, threat intelligence consultant at GuidePoint Security, told SC Media the development of EX-22 appears to be an example of threat actors using leaked source code to develop their own ransomware business.  

But different from many ephemeral groups that emerged to make a short-term profit, threat actors behind EX-22 appear to be organized and ambitious, said Recorded Future ransomware expert Allan Liska.  

"A sophisticated exploitation framework really challenges defenders. We've already had stealthy frameworks like Cobalt Strike and Brute Ratel, and having EX-22 join as the third alternative is definitely something defenders should watch out for," Liska said. 

"We've seen threat actors in the past use slightly modified versions of leaked ransomware tooling. With how successful LockBit has been, it's very likely that these ransomware groups popping up are integrating portions of LockBit's leaked tooling as well," Finn said.

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.