Floxif

Floxif is a Trojan downloader that can infect your PC with additional threats such as backdoor Trojans that could give remote attackers direct UI control. The Trojan is a product of Axiom, a Chinese hacking group, and installs itself via compromised versions of the CCleaner software. Users of the program should double-check it to determine whether or not they're using a vulnerable build and, if necessary, have anti-malware products removing Floxif and all related threats from their computers.

System Cleaners Full of Filth

Although it's not uncommon for malware experts to examine 'system-cleaning' programs that claim to fix errors related to cookies or Registry entries, most of these products are scamware. One of the few exceptions, Piriform's CCleaner, is contending with a recent history of being compromised by third-party threat actors. After compromising specific builds of CCleaner through methods still under investigation by the authorities, hackers operating through the Chinese Axiom gang bundled the product with a second application of their choosing: the Floxif Trojan.

Floxif is a Trojan downloader that seems to have been purpose-made for handling the initial security breaches by exfiltrating generalized system statistics, such as the names of any ongoing memory processes, data about installed programs or MAC address usage. Floxif also can download and install a variety of other threats onto your computer that its threat actors may use for collecting more significant information than system stats, such as passwords, or gaining a more comprehensive degree of control over the machine.

As a persistent threat with a stealth-based design, Floxif shows no obvious symptoms that malware analysts can determine. Victims with a basic background in computer security may detect it by isolating its Registry entries indirectly, which it disguises as configuration values for CCleaner, or its local files, which it hides as fake system components.

Cleaning Up after a Poor Janitorial Job

Axiom seems to be targeting Floxif against high-value victims, such as employee networks for Cisco, Gmail, Linksys and other business organizations. The latest estimates place the total of infected PCs at between two and three million. Pirisoft recommends updating CCleaner to the non-compromised 5.35 release; meanwhile, Floxif is in two infected builds: CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191. Ironically, since it includes Registry-analyzing features, an updated version of CCleaner also may help any victims detect Floxif or related threats. However, CCleaner isn't a dedicated anti-malware program and shouldn't be presumed to uninstall any threatening software in full.

Trojan downloaders can install a range of different threats at their administrator's preference. Appropriate responses to such a compromise should include disinfecting your PC with anti-malware products also capable of detecting rootkits, in addition to uninstalling Floxif. Malware analysts also recommend judging any sensitive information on the infected PC, such as logins, as the con artists possession potentially until proven otherwise. If possible, users should change their passwords and related security credentials as soon as possible after the disinfection.

It is always a significant event when threat actors manage to compromise a normally-legitimate piece of software. Floxif also shows ominous signs of what the future may hold: on artists who hide their attacks between the implied relationship of trust built between the PC security industry and its customers.

Technical Details