A new report from cybersecurity firm CYFIRMA warns of a new post-exploitation framework known as EXFILTRATOR-22 or EX-22, which aims to deploy ransomware in enterprise networks undetected.
The malware is designed to fly under the radar with a range of capabilities, making post-exploitation easy for anyone purchasing the tool. The malware is equipped with features such as launching ransomware to encrypt files, establishing a reverse shell with elevated privileges, and logging keystrokes.
EX-22 also enables criminals to start a live VNC session for real-time access, persist after system reboots, and generate cryptographic hashes of files.
The malware creators likely operate from North, East, or Southeast Asia and are former affiliates of the LockBit ransomware enterprise. CYFIRMA assessed with moderate confidence that the threat actors are behind the creation of the malware.
EX-22 is advertised as a fully undetectable malware on Telegram and YouTube and is available for $1,000 a month or $5,000 for lifetime access. Criminals purchasing the toolkit are provided with a login panel to access the EX-22 server and remotely control the malware.
The connections to LockBit 3.0 arise from technical and infrastructure overlaps, with both malware families utilizing the same domain fronting mechanism for hiding command-and-control (C2) traffic.
Since its first appearance on November 27, 2022, the malware authors have continuously iterated the toolkit with new features, indicating active development work. EX-22 has gained attention among cybercriminals due to its fully undetectable nature and its ability to deploy ransomware without detection.
In conclusion, EXFILTRATOR-22 or EX-22 is a new ransomware threat that poses a significant risk to enterprise networks. Its undetectable nature and range of capabilities make it easy for cybercriminals to deploy ransomware undetected.
As the malware creators continuously iterate the toolkit with new features, the threat of ransomware attacks continues to increase, emphasizing the need for robust cybersecurity measures to protect enterprise networks.