New EX-22 Tool Empowers Hackers with Stealthy Ransomware Attacks on Enterprises

1 year ago AndyC

Feb
28,
2023Ravie
LakshmananRansomware
/
Malware

A
new
post-exploitation
framework
called
EXFILTRATOR-22
(aka
EX-22)
has
emerged
in
the
wild
with
the
goal
of
deploying
ransomware
within
enterprise
networks
while
flying
under
the
radar.

New EX-22 Tool Empowers Hackers with Stealthy Ransomware Attacks on Enterprises



Feb
28,
2023Ravie
LakshmananRansomware
/
Malware


New EX-22 Tool Empowers Hackers with Stealthy Ransomware Attacks on Enterprises

A
new
post-exploitation
framework
called
EXFILTRATOR-22
(aka
EX-22)
has
emerged
in
the
wild
with
the
goal
of
deploying
ransomware
within
enterprise
networks
while
flying
under
the
radar.

“It
comes
with
a
wide
range
of
capabilities,
making
post-exploitation
a
cakewalk
for
anyone
purchasing
the
tool,”
CYFIRMA

said
in
a
new
report.

Some
of
the
notable
features
include
establishing
a
reverse
shell
with
elevated
privileges,
uploading
and
downloading
files,
logging
keystrokes,
launching
ransomware
to
encrypt
files,
and
starting
a
live
VNC
(Virtual
Network
Computing)
session
for
real-time
access.

It’s
also
equipped
to
persist
after
system
reboots,
perform
lateral
movement
via
a
worm,
view
running
processes,
generate
cryptographic
hashes
of
files,
and
extract
authentication
tokens.

The
cybersecurity
firm
assessed
with
moderate
confidence
that
threat
actors
responsible
for
creating
the
malware
are
operating
from
North,
East,
or
Southeast
Asia
and
are
likely
former
affiliates
of
the

LockBit
ransomware.

Advertised
as
a
fully
undetectable
malware
on
Telegram
and
YouTube,
EX-22
is
offered
for
$1,000
a
month
or
$5,000
for
lifetime
access.
Criminal
actors
purchasing
the
toolkit
are
provided
a
login
panel
to
access
the
EX-22
server
and
remotely
control
the
malware.


post-exploitation framework

Since
its
first
appearance
on
November
27,
2022,
the
malware
authors
have
continuously
iterated
the
toolkit
with
new
features,
indicating
active
development
work.

The
connections
to
LockBit
3.0
arise
from
technical
and
infrastructure
overlaps,
with
both
malware
families
utilizing
the
same

domain
fronting
mechanism
for
hiding
command-and-control
(C2)
traffic.

The
post-exploitation-framework-as-a-service
(PEFaaS)
model
is
the
latest
tool
available
for
adversaries
looking
to
maintain
covert
access
to
compromised
devices
over
an
extended
period
of
time.

It
also
joins
other
frameworks
like

Manjusaka
and

Alchimist
as
well
as

legitimate
and
open
source
alternatives
such
as
Cobalt
Strike,
Metasploit,
Sliver,
Empire,
Brute
Ratel,
and
Havoc
that
have
been
co-opted
for
malicious
ends.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

A SaaS Security Challenge: Getting Permissions All in One Place 

A SaaS Security Challenge: Getting Permissions All in One Place 

7 hours ago AndyC
New Spectre-Style 'Pathfinder' Attack Targets Intel CPU, Leak Encryption Keys and Data

New Spectre-Style ‘Pathfinder’ Attack Targets Intel CPU, Leak Encryption Keys and Data

7 hours ago AndyC
The Fundamentals of Cloud Security Stress Testing

The Fundamentals of Cloud Security Stress Testing

13 hours ago AndyC
Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

13 hours ago AndyC
Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

13 hours ago AndyC
Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator

Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator

1 day ago AndyC

You may have missed

Aussie Broadband gets clearance to hold more Superloop shares

Aussie Broadband gets clearance to hold more Superloop shares

48 mins ago AndyC
CBA changes its chief security officer

CBA changes its chief security officer

49 mins ago AndyC
<div>Radware lauded as Leader in GigaOm's 2024 AAS Security Report</div>

Radware lauded as Leader in GigaOm’s 2024 AAS Security Report

49 mins ago AndyC
You cannot protect what you do not understand

You cannot protect what you do not understand

49 mins ago AndyC
<div>'LogicMonitor appoints ex-Splunk leader Brooke Cunningham as CMO'</div>

‘LogicMonitor appoints ex-Splunk leader Brooke Cunningham as CMO’

49 mins ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.