New EX-22 Instrument Empowers Hackers with Stealthy Ransomware Assaults on Enterprises

Feb 28, 2023Ravie LakshmananRansomware / Malware

A brand new post-exploitation framework referred to as EXFILTRATOR-22 (aka EX-22) has emerged within the wild with the objective of deploying ransomware inside enterprise networks whereas flying below the radar.

“It comes with a variety of capabilities, making post-exploitation a cakewalk for anybody buying the software,” CYFIRMA said in a brand new report.

A few of the notable options embrace establishing a reverse shell with elevated privileges, importing and downloading recordsdata, logging keystrokes, launching ransomware to encrypt recordsdata, and beginning a stay VNC (Digital Community Computing) session for real-time entry.

It is also outfitted to persist after system reboots, carry out lateral motion by way of a worm, view operating processes, generate cryptographic hashes of recordsdata, and extract authentication tokens.

The cybersecurity agency assessed with reasonable confidence that menace actors answerable for creating the malware are working from North, East, or Southeast Asia and are possible former associates of the LockBit ransomware enterprise.

Marketed as a totally undetectable malware on Telegram and YouTube, EX-22 is obtainable for $1,000 a month or $5,000 for lifetime entry. Felony actors buying the toolkit are supplied a login panel to entry the EX-22 server and remotely management the malware.

Since its first look on November 27, 2022, the malware authors have repeatedly iterated the toolkit with new options, indicating lively growth work.

The connections to LockBit 3.0 come up from technical and infrastructure overlaps, with each malware households using the identical domain fronting mechanism for hiding command-and-control (C2) visitors.

The post-exploitation-framework-as-a-service (PEFaaS) mannequin is the newest software obtainable for adversaries seeking to preserve covert entry to compromised gadgets over an prolonged time frame.

It additionally joins different frameworks like Manjusaka and Alchimist in addition to respectable and open supply options equivalent to Cobalt Strike, Metasploit, Sliver, Empire, Brute Ratel, and Havoc which have been co-opted for malicious ends.