PE_FLOXIF Resurgence

Summary

The PE_Floxif family is a known virus infector that was first observed and detected by Trend Micro since 2012. Just recently, there is an observed increase in incidents related to this PE infection. This article showcases details about this threat and provides information should users encounter this type of malware.

"PE_" is the Trend Micro detection for "Portable Executable Malware " .These are malicious program that self-copy or insert itself to another program - commonly refer to as a virus infector. Floxif entry point is like other malware. Normally, it may be downloaded via web/email, dropped by other malware and the most common is when a previously infected file is shared either via USB or Shared Drive.

Virus Reports

Capabilities

Anti-Sandbox Mechanism
Infects EXEs and DLLs running on the background and attaches itself as part of its routine
Persistence on Load AppInit which allows the malware to hook the main malware file to any executable that the user executes

Indicators of Compromise

hxxps://trendupdate[.]dns05[.]com (C&C Server) – no longer accessible

Detections	Hash (SHA1)
PE_FLOXIF.SM-O	14ba3fa927a06224dfe587014299e834def4644f
PE_FLOXIF.D	f64e0c9c8cfabf8fcf6e88905b812a1ce0872b4f

Details

Solution	OPR / POLICY
PE_FLOXIF.SM-O	11.127.00
PE_FLOXIF.D	15.299.00
Behavior Monitoring (TMTD)	PA4734S

Containment

Check how many endpoints are affected by doing the following.
1. Filter Virus Logs / Anti-Malware Events by their detection name.
2. Create a Pivot Table similar to the following.
Identify Infection sources by filtering through Source Host which can be done either on the pivot table or on the web portal.
Isolate the endpoints for cleanup.
For a larger outbreak, Outbreak Prevention Policies can be utilized.

Cleanup

For Endpoints with functional and updated Security Software:

Configure Real Time Scan, Scheduled Scan, Manual Scan, and Scan Now with the following Settings.
- Set scan target to "All scannable files".
- Set scan actions to customized actions.
- Remove scan exclusions.
Perform a network-wide scan.

For Isolated Endpoints or Endpoints without Functional AV Software:

Option 1: ATTK Offline Clean Tool
1. Download Trend Micro Anti-Threat Toolkit – Offline Clean Tool:
  32-bit
  64-bit
2. Since the malware infects .exe files, change the extension of the tool to .com. It is recommended to run it inside C:\Windows\.
3. Click Fix on the detected items, and click Restart once prompted.
Option 2: Trend Micro Rescue Disk
1. For Cleanup choose Scan for Security Threats.
2. Perform a Full Scan.
3. A message should appear once the files are cleaned. For files that are not cleaned, this can be deleted manually or sent to Trend Micro for analysis.