ATT&CK v16 has been released! Check out the blog post for more information.

Zox

Zox is a remote access tool that has been used by Axiom since at least 2008.^[1]

ID: S0672

ⓘ

Associated Software: Gresim, ZoxRPC, ZoxPNG

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 09 January 2022

Last Modified: 10 April 2024

Version Permalink

Live Version

Associated Software Descriptions

Name	Description
Gresim	^[1]
ZoxRPC	^[1]
ZoxPNG	^[1]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1005		Data from Local System	Zox has the ability to upload files from a targeted system.^[1]
Enterprise	T1001	.002	Data Obfuscation: Steganography	Zox has used the .PNG file format for C2 communications.^[1]
Enterprise	T1068		Exploitation for Privilege Escalation	Zox has the ability to leverage local and remote exploits to escalate privileges.^[1]
Enterprise	T1083		File and Directory Discovery	Zox can enumerate files on a compromised host.^[1]
Enterprise	T1105		Ingress Tool Transfer	Zox can download files to a compromised machine.^[1]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	Zox has been encoded with Base64.^[1]
Enterprise	T1057		Process Discovery	Zox has the ability to list processes.^[1]
Enterprise	T1021	.002	Remote Services: SMB/Windows Admin Shares	Zox has the ability to use SMB for communication.^[1]
Enterprise	T1082		System Information Discovery	Zox can enumerate attached drives.^[1]

Groups That Use This Software

ID	Name	References
G0001	Axiom	^[1]

References

Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.