Exfiltrator-22: The Newest Post-Exploitation Toolkit Nipping at Cobalt Strikes Heels

  /     /     /  
Publicated : 23/11/2024   Category : security


Exfiltrator-22: The Newest Post-Exploitation Toolkit Nipping at Cobalt Strikes Heels


The framework-as-a-service signals an intensification of the cat-and-mouse game between defenders detecting lateral movement, and cybercriminals looking to go unnoticed.



The post-exploitation tools market has chalked up a newcomer with the emergence of Exfiltrator-22. An upstart alternative to Cobalt Strike, the Exfiltrator-22 framework-as-a-service (FaaS) tool set, first seen in December, was likely developed by ex-affiliates of the notorious LockBit ransomware gang, according to researchers.
According to 
a Cyfirma report on Feb. 28
, Ex-22 possesses advanced post-exploit capabilities that include elevated reverse shell, remote file download and upload, screenshot and live session monitoring of infected devices, privilege elevation capabilities and LSASS credential dumping, and persistence capabilities. Buyers get access to an administration panel through a $1,000 monthly subscription. The researchers say theyre moderately certain this crew is operating out of Asian countries and engaged in an ambitious buildout of its own affiliate program, along with an aggressive marketing campaign. 
Meanwhile, recent samples of
LockBit 3.0 campaigns
show they utilize the same command-and-control (C2) infrastructure as Exiltration-22.
The Ex-22 creators claim their framework is fully undetectable by every antivirus and endpoint detection and response (EDR) vendor. While thats not totally true, as of 13th February 2023, the malware still has 5/70 detections on Online Sandboxes, even after multiple dynamic scans being performed, the report explains. This tells us that the threat actors are skilled at anti-analysis and defense evasion techniques.
The analysis points to what some security pundits see as a slight shift in the winds of post-exploit activity. While
Cobalt Strike
still remains the dominant tooling of choice for the bad guys, security tooling capable of picking up on activity stemming from this framework is mounting, and the criminal marketplace is spinning up to provide a more stealthy alternative. Last years most notable example of this movement was the
increased adoption of Brute Ratel C4
for malicious post-exploit activity.
With continuous improvements and support, Ex-22 becomes a go-to alternative for any threat actors planning to purchase tools for the post exploitation phase but do not want to go with the traditional tools due to high detection rates, the report explained.
Interestingly, Ex-22 is actually the second high-profile, highly evasive post-exploitation framework uncovered by security researchers this month. Earlier in February, researchers with Zscaler ThreatLabZ
published an analysis of a campaign
they observed targeting a government organization using a C2 framework called Havoc.
While C2 frameworks are prolific, the open source Havoc framework is an advanced post-exploitation command and control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques, such as indirect syscalls and sleep obfuscation, wrote Zscaler researchers Niraj Shivtarkar and Shatak Jain in a Feb. 14 analysis.
Meantime, in January researchers with Cybereason detailed
recent campaigns utilizing the C2 framework Sliver
for post-exploitation activity. This follows up on work done by Microsoft and Team Cymru
tracking the rise of Sliver
. An open source alternative, Sliver is also cross-platform, offering support for action on OS X, Linux, and Windows.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Exfiltrator-22: The Newest Post-Exploitation Toolkit Nipping at Cobalt Strikes Heels