The PE_Floxif family is a known virus infector that was first observed and detected by Trend Micro since 2012. Just recently, there is an observed increase in incidents related to this PE infection. This article showcases details about this threat and provides information should users encounter this type of malware.
"PE_" is the Trend Micro detection for "Portable Executable Malware " .These are malicious program that self-copy or insert itself to another program - commonly refer to as a virus infector. Floxif entry point is like other malware. Normally, it may be downloaded via web/email, dropped by other malware and the most common is when a previously infected file is shared either via USB or Shared Drive.
Virus Reports
- Threat Encyclopedia: Virus.Win32.FLOXIF.D
- Threat Encyclopedia: PE_FLOXIF.SM-O
- Threat Encyclopedia: PE_FLOXIF.D
Capabilities
- Anti-Sandbox Mechanism
- Infects EXEs and DLLs running on the background and attaches itself as part of its routine
- Persistence on Load AppInit which allows the malware to hook the main malware file to any executable that the user executes
Indicators of Compromise
- hxxps://trendupdate[.]dns05[.]com (C&C Server) – no longer accessible
Detections | Hash (SHA1) |
---|---|
PE_FLOXIF.SM-O | 14ba3fa927a06224dfe587014299e834def4644f |
PE_FLOXIF.D | f64e0c9c8cfabf8fcf6e88905b812a1ce0872b4f |
Solution | OPR / POLICY |
---|---|
PE_FLOXIF.SM-O | 11.127.00 |
PE_FLOXIF.D | 15.299.00 |
Behavior Monitoring (TMTD) | PA4734S |
Containment
- Check how many endpoints are affected by doing the following.
- Filter Virus Logs / Anti-Malware Events by their detection name.
- Create a Pivot Table similar to the following.
- Identify Infection sources by filtering through Source Host which can be done either on the pivot table or on the web portal.
- Isolate the endpoints for cleanup.
- For a larger outbreak, Outbreak Prevention Policies can be utilized.
Cleanup
For Endpoints with functional and updated Security Software:
- Configure Real Time Scan, Scheduled Scan, Manual Scan, and Scan Now with the following Settings.
- Set scan target to "All scannable files".
- Set scan actions to customized actions.
- Remove scan exclusions.
- Set scan target to "All scannable files".
- Perform a network-wide scan.
For Isolated Endpoints or Endpoints without Functional AV Software:
- Option 1: ATTK Offline Clean Tool
- Option 2: Trend Micro Rescue Disk
- For Cleanup choose Scan for Security Threats.
- Perform a Full Scan.
- A message should appear once the files are cleaned. For files that are not cleaned, this can be deleted manually or sent to Trend Micro for analysis.
- For Cleanup choose Scan for Security Threats.