Think you have a false positive on this rule?

Sid 1-51534

Message

MALWARE-BACKDOOR DNS request for open LocalXpose reverse proxy backdoor domain ANY.loclx.io

Summary

This event is generated when Local Xpose application begins proxying traffic from localhost ports to the Internet.

Impact

LocalXpose is a reverse proxy tool has opened a tunnel exposing a workstation's local ports to the wider Internet. The infected host may be running a web application or exposing file for exfiltration.

Detailed information

Affected systems

Ease of attack

Simple

False positives

False negatives

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • www.virustotal.com/en/domain/.loclx.io/information/