Detection Content: Floxif Trojan

Floxif Trojan is primarily known for being used by the Winnti group, they distributed it with the infected CCleaner, which was downloaded by users from the official site. The attack occurred in September 2017, attackers allegedly gained access to CCleaner’s build environment. Floxif Trojan was used with Nyetya Trojan to collect information about infected systems and deliver the next stage payload. During that attack, cybercriminals were interested in the largest technology companies, including Google and Microsoft. Since then, the trojan has been used more than once in attacks, one of its distinctive abilities is the modification of legitimate files turning them into backdoors. Also, the trojan can download additional malware, execute various .exe files, and neutralize installed anti-malware solutions. Ariel Millahuel’s new rule allows Floxif to be detected during installation and to respond to a threat before serious damage is done: https://tdm.socprime.com/tdm/info/KpSB21CgFObY/nYyRCHIB1-hfOQirvSY3/?p=1

Threat Detection is supported for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, RSA NetWitness, Sumo Logic

EDR: Windows Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK:

Tactics: Credential Access, Initial Access, Execution

Techniques: Credentials in Files (T1081), Execution through Module Load (T1129)

You can explore the tactics used by the Winnti group in the MITRE ATT&CK section on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/

We also recommend another Sigma rule by Ariel Millahuel to detect the Winnti group campaigns: https://tdm.socprime.com/tdm/info/btjlkBTjI66s/-otFoXEB1-hfOQirV9bj/

And YARA rule by Emanuele De Lucia – APT41 / Wicked Panda / Group 72 / Winnti Group YARA Malware Pack: https://tdm.socprime.com/tdm/info/Su15QW8GgK8m/xuZQy3EBv8lhbg_iWY1s/#xuZQy3ivi1vybywybvi