Days after reports came out that former Lockbit 3.0 affiliates are promoting a new ‘Exfiltrator-22’ post-exploitation framework, the ransomware gang has denied any links to it. 

According to a post on the LockBit leak site, the ransomware gang has claimed that Exfiltrator-22 is a PR stunt by some newbies.

Threat analysts at CYFIRMA this week published a report, tracing the new framework to former Lockbit 3.0 affiliates, who specialize in anti-analysis and defense evasion. They offer it at a hefty subscription fee ranging from $1,000 per month to $5,000 for lifetime access.

Lockbit denies any link to the new threat Actor Exfiltrator-22. In a message posted on a hacker forum, they denied any kind of association and referred to it as a PR gimmick by the new threat actor.#Threatactor#Threatintel#ThreatIntelligence pic.twitter.com/T3wBslrk8f

— FalconFeedsio (@FalconFeedsio) March 2, 2023

Everything you need to you know about Exfiltrator-22

According to CYFIRMA’s research, EXFILTRATOR-22’s initial development was finished by November 27, 2022, or earlier. By December 7, 2022, the threat actor established a telegram channel to promote the malware and attract potential buyers.

Despite undergoing numerous dynamic scans, as of February 13, 2023, the malware has only been detected by 5 out of 70 Online Sandboxes. This suggests that the Threat Actors possess proficiency in anti-analysis and defense evasion techniques.

“In January 2023, an official announcement was made on their channel to keep prospective buyers updated on the progress. It was stated that Ex22 is 87% ready for use and the payment model will be subscription based ($1000 for a month and $5000 for lifetime access),” said the report.

“Upon purchase, the buyer would be given a login panel to access the Ex22 server, hosted on a bulletproof VPS (Virtual Private Server).”

Most recently, the threat actors behind Exfiltrator-22 announced new features that helps conceal traffic on compromised devices, further increasing their ability to cause damage.  

On February 10, 2023, they posted two demonstration videos on YouTube to showcase their framework’s lateral movement and ransomware-spreading capabilities. 

Cybersecurity experts are concerned about the emergence of Exfiltrator-22, which highlights the increasing sophistication of cybercriminals and the growing threat of ransomware attacks.  

The LockBit connection

Upon correlating with data from other malware samples, CYFIRMA research has revealed that a LockBit3.0 sample (sha256- d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee) and the EXFILTRATOR-22 sample share the same technique (Domain Fronting) and network infrastructure for concealing C2 traffic.

“A simple lookup on research tools tells us that the above sample has been actively used in LockBit3.0 campaigns,” said the report.

“Upon further investigation, the CYFIRMA research team has identified that the LockBit3.0 sample utilizes the same C2 infrastructure as EX-22.”

Exfiltrator-22, a matter of concern

It is highly probable that the creators of EX-22 are sophisticated threat actors who will likely continue to enhance the malware’s evasive capabilities, warns the CYFIRMA report. As a result, EX-22 is becoming a popular option for threat actors seeking post-exploitation tools but are hesitant to use conventional tools due to their high detection rates.

CYFIRMA concludes that the threat actors have established a post-exploitation affiliate model for several reasons:

Broadened reach: By implementing an affiliate program, the threat actors can expand their reach to a wider audience, which can increase the number of potential victims. Affiliates can distribute the malware through various channels, such as social media, forums, and other websites.

Reduced risk: Affiliates assume the responsibility of promoting and distributing the malware, minimizing the risk for the threat actor. If an affiliate is caught and prosecuted, the threat actor can distance themselves from the operation and evade detection.

Increased resources: An affiliate program can offer threat actors access to additional resources, including new tools and expertise.

Affiliates may possess specialized skills or have access to particular networks or technologies that the threat actor lacks, which can enhance the campaign’s overall effectiveness.

Enhanced profits: Affiliates often receive a percentage of the profits made from distributing the malware, incentivizing them to disseminate the malware as widely as possible.