Skip to content

S0672 Zox

Zox is a remote access tool that has been used by Axiom since at least 2008.1

Item Value
ID S0672
Associated Names Gresim, ZoxRPC, ZoxPNG
Type MALWARE
Version 1.0
Created 09 January 2022
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Gresim 1
ZoxRPC 1
ZoxPNG 1

Techniques Used

Domain ID Name Use
enterprise T1005 Data from Local System Zox has the ability to upload files from a targeted system.1
enterprise T1001 Data Obfuscation -
enterprise T1001.002 Steganography Zox has used the .PNG file format for C2 communications.1
enterprise T1068 Exploitation for Privilege Escalation Zox has the ability to leverage local and remote exploits to escalate privileges.1
enterprise T1083 File and Directory Discovery Zox can enumerate files on a compromised host.1
enterprise T1105 Ingress Tool Transfer Zox can download files to a compromised machine.1
enterprise T1027 Obfuscated Files or Information Zox has been encoded with Base64.1
enterprise T1057 Process Discovery Zox has the ability to list processes.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Zox has the ability to use SMB for communication.1
enterprise T1082 System Information Discovery Zox can enumerate attached drives.1

Groups That Use This Software

ID Name References
G0001 Axiom 1

References

Back to top