Floxif Trojan is primarily known for being used by the Winnti group, they distributed it with the infected CCleaner, which was downloaded by users from the official site. The attack occurred in September 2017, attackers allegedly gained access to CCleaner’s build environment. Floxif Trojan was used with Nyetya Trojan to collect information about infected systems and deliver the next stage payload. During that attack, cybercriminals were interested in the largest technology companies, including Google and Microsoft. Since then, the trojan has been used more than once in attacks, one of its distinctive abilities is the modification of legitimate files turning them into backdoors. Also, the trojan can download additional malware, execute various .exe files, and neutralize installed anti-malware solutions. Ariel Millahuel’s new rule allows Floxif to be detected during installation and to respond to a threat before serious damage is done: https://tdm.socprime.com/tdm/info/KpSB21CgFObY/nYyRCHIB1-hfOQirvSY3/?p=1

Threat Detection is supported for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, RSA NetWitness, Sumo Logic

EDR: Windows Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Credential Access, Initial Access, Execution

Techniques: Credentials in Files (T1081), Execution through Module Load (T1129)

You can explore the tactics used by the Winnti group in the MITRE ATT&CK section on Threat Detection Marketplace:  https://tdm.socprime.com/att-ck/

We also recommend another Sigma rule by Ariel Millahuel to detect the Winnti group campaigns: https://tdm.socprime.com/tdm/info/btjlkBTjI66s/-otFoXEB1-hfOQirV9bj/

And YARA rule by Emanuele De Lucia – APT41 / Wicked Panda / Group 72 / Winnti Group YARA Malware Pack: https://tdm.socprime.com/tdm/info/Su15QW8GgK8m/xuZQy3EBv8lhbg_iWY1s/#xuZQy3ivi1vybywybvi

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko