Exfiltrator-22: The Newest Post-Exploitation Toolkit Nipping at Cobalt Strike's Heels
The framework-as-a-service signals an intensification of the cat-and-mouse game between defenders detecting lateral movement, and cybercriminals looking to go unnoticed.
February 28, 2023
The post-exploitation tools market has chalked up a newcomer with the emergence of Exfiltrator-22. An upstart alternative to Cobalt Strike, the Exfiltrator-22 framework-as-a-service (FaaS) tool set, first seen in December, was "likely" developed by ex-affiliates of the notorious LockBit ransomware gang, according to researchers.
According to a Cyfirma report on Feb. 28, Ex-22 possesses advanced post-exploit capabilities that include elevated reverse shell, remote file download and upload, screenshot and live session monitoring of infected devices, privilege elevation capabilities and LSASS credential dumping, and persistence capabilities. Buyers get access to an administration panel through a $1,000 monthly subscription. The researchers say they're moderately certain this crew is operating out of Asian countries and engaged in an ambitious buildout of its own affiliate program, along with an "aggressive" marketing campaign.
Meanwhile, recent samples of LockBit 3.0 campaigns show they utilize the same command-and-control (C2) infrastructure as Exiltration-22.
The Ex-22 creators claim their framework is "fully undetectable" by every antivirus and endpoint detection and response (EDR) vendor. While that's not totally true, "as of 13th February 2023, the malware still has 5/70 detections on Online Sandboxes, even after multiple dynamic scans being performed," the report explains. "This tells us that the threat actors are skilled at anti-analysis and defense evasion techniques."
The analysis points to what some security pundits see as a slight shift in the winds of post-exploit activity. While Cobalt Strike still remains the dominant tooling of choice for the bad guys, security tooling capable of picking up on activity stemming from this framework is mounting, and the criminal marketplace is spinning up to provide a more stealthy alternative. Last year's most notable example of this movement was the increased adoption of Brute Ratel C4 for malicious post-exploit activity.
"With continuous improvements and support, Ex-22 becomes a go-to alternative for any threat actors planning to purchase tools for the post exploitation phase but do not want to go with the traditional tools due to high detection rates," the report explained.
Post-Exploitation Options Proliferate
Interestingly, Ex-22 is actually the second high-profile, highly evasive post-exploitation framework uncovered by security researchers this month. Earlier in February, researchers with Zscaler ThreatLabZ published an analysis of a campaign they observed targeting a government organization using a C2 framework called Havoc.
"While C2 frameworks are prolific, the open source Havoc framework is an advanced post-exploitation command and control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques, such as indirect syscalls and sleep obfuscation," wrote Zscaler researchers Niraj Shivtarkar and Shatak Jain in a Feb. 14 analysis.
Meantime, in January researchers with Cybereason detailed recent campaigns utilizing the C2 framework Sliver for post-exploitation activity. This follows up on work done by Microsoft and Team Cymru tracking the rise of Sliver. An open source alternative, Sliver is also cross-platform, offering support for action on OS X, Linux, and Windows.
About the Author
You May Also Like