S0672 Zox
Zox is a remote access tool that has been used by Axiom since at least 2008.1
| Item | Value |
|---|---|
| ID | S0672 |
| Associated Names | Gresim, ZoxRPC, ZoxPNG |
| Type | MALWARE |
| Version | 1.0 |
| Created | 09 January 2022 |
| Last Modified | 20 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Gresim | 1 |
| ZoxRPC | 1 |
| ZoxPNG | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1005 | Data from Local System | Zox has the ability to upload files from a targeted system.1 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.002 | Steganography | Zox has used the .PNG file format for C2 communications.1 |
| enterprise | T1068 | Exploitation for Privilege Escalation | Zox has the ability to leverage local and remote exploits to escalate privileges.1 |
| enterprise | T1083 | File and Directory Discovery | Zox can enumerate files on a compromised host.1 |
| enterprise | T1105 | Ingress Tool Transfer | Zox can download files to a compromised machine.1 |
| enterprise | T1027 | Obfuscated Files or Information | Zox has been encoded with Base64.1 |
| enterprise | T1057 | Process Discovery | Zox has the ability to list processes.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Zox has the ability to use SMB for communication.1 |
| enterprise | T1082 | System Information Discovery | Zox can enumerate attached drives.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0001 | Axiom | 1 |