Zox

Zox is a remote access tool that has been used by Axiom since at least 2008.^[1]

ID: S0672

ⓘ

Associated Software: Gresim, ZoxRPC, ZoxPNG

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 09 January 2022

Last Modified: 10 April 2024

Associated Software Descriptions

Name	Description
Gresim	^[1]
ZoxRPC	^[1]
ZoxPNG	^[1]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1005		从本地系统获取数据	Zox has the ability to upload files from a targeted system.^[1]
Enterprise	T1001	.002	数据混淆: Steganography	Zox has used the .PNG file format for C2 communications.^[1]
Enterprise	T1083		文件和目录发现	Zox can enumerate files on a compromised host.^[1]
Enterprise	T1068		权限提升漏洞利用	Zox has the ability to leverage local and remote exploits to escalate privileges.^[1]
Enterprise	T1027	.013	混淆文件或信息: Encrypted/Encoded File	Zox has been encoded with Base64.^[1]
Enterprise	T1082		系统信息发现	Zox can enumerate attached drives.^[1]
Enterprise	T1105		输入工具传输	Zox can download files to a compromised machine.^[1]
Enterprise	T1057		进程发现	Zox has the ability to list processes.^[1]
Enterprise	T1021	.002	远程服务: SMB/Windows Admin Shares	Zox has the ability to use SMB for communication.^[1]

Groups That Use This Software

ID	Name	References
G0001	Axiom	^[1]

References

Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.