f0xy malware downloader

Hunt Hypothesis

The f0xy malware downloader is likely being used to establish a persistent backdoor within the network by leveraging compromised credentials to exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term data breaches and lateral movement attempts.

YARA Rule

rule ws_f0xy_downloader {
  meta:
    description = "f0xy malware downloader"
    author = "Nick Griffin (Websense)"

  strings:
    $mz="MZ"
    $string1="bitsadmin /transfer"
    $string2="del rm.bat"
    $string3="av_list="
  
  condition:
    ($mz at 0) and (all of ($string*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job for system maintenance
  Description: A scheduled task runs a script that uses a tool similar to f0xy for system cleanup or patching.
  Filter/Exclusion: Exclude processes associated with known system maintenance tools (e.g., schtasks.exe, taskhost.exe) or use a filter based on the full path of the script or executable (e.g., C:\Windows\System32\cleanmgr.exe).

• Scenario: Admin using f0xy for internal testing
  Description: A security team member is using a custom tool named f0xy for internal malware testing or analysis.
  Filter/Exclusion: Exclude processes initiated by users in the Administrators group or use a filter based on the user’s username (e.g., user=security-team).

• Scenario: Legitimate third-party software installation
  Description: A legitimate software package (e.g., 7-Zip, WinRAR) uses a downloader component that matches the signature of f0xy.
  Filter/Exclusion: Exclude processes from known trusted vendors (e.g., 7-Zip.exe, WinRAR.exe) or use a filter based on the file hash or digital signature.

• Scenario: PowerShell script for configuration management
  Description: A PowerShell script (e.g., PSConfigManager.ps1) is used to deploy configurations and includes a downloader that resembles f0xy.
  Filter/Exclusion: Exclude PowerShell scripts executed by known configuration management tools (e.g., PSConfigManager.ps1) or use a filter based on the script’s full path or execution context.

• Scenario: User-initiated file download for legitimate purposes
  Description: A user downloads a file (e.g., a software update or document) using a downloader that matches the