Stealthy EX-22 post-exploitation tool linked to LockBit ransomware

February 28, 2023 – Published on SC Magazine

A new stealthy post-exploitation framework in the wild aims to deploy ransomware in enterprise networks while evading detection. 

Dubbed EXFILTRATE-22 or EX-22, the framework was built using the leaked source code of other post-exploitation frameworks with the same command-and-control infrastructure and “domain fronting” technique as LockBit 3.0.

Promoted as fully undetectable malware on YouTube and Telegram, the price for EXFILTRATE-22 ranges from $1,000 for a monthly subscription to $5,000 for lifetime access. The buyer will also receive a login panel to access the EXFILTRATE-22 server, which allows threat actors to remotely control the malware.  

Some of the more notable capabilities of EXFILTRATE-22 include establishing an elevated reverse-shell, uploading and downloading files, logging keystrokes on aninfected device, and (of course) deploying ransomware to encrypt files.  

The framework can also bypass User Access Control, create scheduled tasks with a single command, and allow attackers to check group memberships for existing users to determine if privilege escalation is needed. 

Given that the LockBit 3.0 ransomware builder was leaked in September last year, Nic Finn, threat intelligence consultant at GuidePoint Security, told SC Media the development of EX-22 appears to be an example of threat actors using leaked source code to develop their own ransomware business.  

“We are seeing more ransomware groups popping up with various slightly modified versions of the LockBit tooling over the past few months. With the leaked code, threat actors can easily develop their own tools without paying the ransomware affiliate,” Finn said.

Read More HERE.