Zox

Zox is a remote access tool that has been used by Axiom since at least 2008.[1]

ID: S0672
Associated Software: Gresim, ZoxRPC, ZoxPNG
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 09 January 2022
Last Modified: 10 April 2024

Associated Software Descriptions

Name Description
Gresim

[1]

ZoxRPC

[1]

ZoxPNG

[1]

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Zox has the ability to upload files from a targeted system.[1]

Enterprise T1001 .002 Data Obfuscation: Steganography

Zox has used the .PNG file format for C2 communications.[1]

Enterprise T1068 Exploitation for Privilege Escalation

Zox has the ability to leverage local and remote exploits to escalate privileges.[1]

Enterprise T1083 File and Directory Discovery

Zox can enumerate files on a compromised host.[1]

Enterprise T1105 Ingress Tool Transfer

Zox can download files to a compromised machine.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Zox has been encoded with Base64.[1]

Enterprise T1057 Process Discovery

Zox has the ability to list processes.[1]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Zox has the ability to use SMB for communication.[1]

Enterprise T1082 System Information Discovery

Zox can enumerate attached drives.[1]

Groups That Use This Software

ID Name References
G0001 Axiom

[1]

References