Threat Research

EXFILTRATOR-22 – An Emerging Post-Exploitation Framework – CYFIRMA

Securonix

CYFIRMA analyzes EXFILTRATOR-22, a new post-exploitation framework marketed via Telegram and YouTube with anti-analysis capabilities and an affiliate model. The actors use domain fronting and CDN infrastructure to conceal C2 traffic and promote a subscription-based service, aiming to evade modern security tools. #EXFILTRATOR-22 #LockBit3.0

Keypoints

  • EXFILTRATOR-22 (EX-22) is a post-exploitation framework analyzed by CYFIRMA, likely developed by actors in Asia.
  • The project timeline shows initial development by 2022-11-27, with a Telegram channel launched on 2022-12-07 to market the malware.
  • As of 2023-02-13, the malware had only 5/70 detections in Online Sandboxes, signaling strong anti-analysis and defense-evasion capabilities.
  • Feature-rich capabilities include elevated reverse-shell, file download/upload, keylogger, ransomware, screenshots, live sessions (VNC), privilege elevation, persistence, lateral movement, LSASS dumping, hashing, task listing, and token theft.
  • Administrators provide a centralized panel with a subscription model, enabling remote control, automation, UAC bypass selection, and payload deployment/scheduling.
  • Traffic is hidden via domain fronting using Akamai CDN and Meek TOR obfuscation; EXFILTRATOR-22 shares infrastructure with LockBit3.0.
  • CYFIRMA notes an affiliate-model approach to expand reach, reduce risk, gain resources, and boost profits for the threat actors.

MITRE Techniques

  • [T1129] Shared Modules – Parses PE header; Links function at runtime on Windows. Quote: ‘Parses PE header…Links function at runtime on Windows’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persists via Run registry key. Quote: ‘Persists via Run registry key’
  • [T1055] Process Injection – Spawn processes; Creates a process in suspended mode (likely to inject code). Quote: ‘Spawn processes…Creates a process in suspended mode (likely to inject code)’
  • [T1134] Access Token Manipulation – Acquires debug privileges; Modifies access privileges. Quote: ‘Acquires debug privileges Modify access privileges’
  • [T1055] Process Injection – Defense Evasion: Spawn processes; Creates a process in suspended mode (likely to inject code). Quote: ‘Spawn processes…Creates a process in suspended mode (likely to inject code)’
  • [T1497] Virtualization/Sandbox Evasion – Evasive sleep loops hinder dynamic analysis. Quote: ‘Evasive sleep loops hinder dynamic analysis’
  • [T1027] Obfuscated Files or Information – Encrypts data using RC4 PRGA. Quote: ‘Encrypts data using RC4 PRGA’
  • [T1055.003] Process Injection: Thread Execution Hijacking – Hijacks thread execution. Quote: ‘Hijacks thread execution’
  • [T1112] Modify Registry – Deletes registry key. Quote: ‘Deletes registry key’
  • [T1134] Access Token Manipulation – Acquires debug privileges; Modifies access privileges. Quote: ‘Acquires debug privileges Modify access privileges’
  • [T1564.003] Hide Artifacts: Hidden Window – Hides graphical window. Quote: ‘Hides graphical window’
  • [T1620] Reflective Code Loading – Reflective code loading. Quote: ‘Hijacks thread execution’
  • [T1056.001] Input Capture: Keylogging – Logs keystrokes via polling. Quote: ‘Logs keystrokes via polling’
  • [T1082] System Information Discovery – Reads software policies. Quote: ‘Reads software policies’
  • [T1010] Application Window Discovery – Finds graphical window. Quote: ‘Finds graphical window’
  • [T1057] Process Discovery – Enumerates processes. Quote: ‘Enumerates processes’
  • [T1082] System Information Discovery – Queries environment variable. Quote: ‘Queries environment variable’
  • [T1083] File and Directory Discovery – Checks if the file exists. Quote: ‘Checks if the file exists’
  • [T1497.002] Virtualization/Sandbox Evasion: User Activity-Based Checks – Checks for unmoving mouse cursor. Quote: ‘Checks for unmoving mouse cursor’
  • [T1113] Screen Capture – Captures screenshots. Quote: ‘Captures screenshots’
  • [T1486] Data Encrypted for Impact – Modifies user documents; writes a ransom notice. Quote: ‘Modifies user documents; Writes a notice file (html or text) to demand a ransom’

Indicators of Compromise

  • [MD5] Exfiltrator-22 hash – 874726830ae6329d3460767970a2f805. Context: one of the sample hashes observed in analyses.
  • [SHA1] Exfiltrator-22 hash – eca49c8962c55bfb11d4dc612b275daa85cfe8c3. Context: observed in dynamic analysis materials.
  • [SHA256] Exfiltrator-22 hash – 32746688a23543e674ce6dcf03256d99988a269311bf3a8f0f944016fe3a931d. Context: commonly cited in IOC summaries.
  • [Filename] Worm.exe, Worm24.exe – Context: filenames listed as IoCs in the analysis report.
  • [IPv4] 23.216.147.76, 20.99.184.37 – Context: IP addresses associated with C2 infrastructure.

Read more: https://www.cyfirma.com/outofband/exfiltrator-22-an-emerging-post-exploitation-framework/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint