Threat Report: What is the Zox Exploit Tool and How Does it Work?

Zox is a remote access exploitation tool used by the Black Coffee malware. Zox has been used by lack Black Coffee since at least 2008 and has various capabilities, such as enumerating files and processes, downloading and uploading files, and creating a reverse shell. Black Coffee also uses Microsoft’s TechNet Web portal to obtain encoded tags that contain the IP addresses of command and control servers. If a C2 server is discovered or shut down, Black Coffee can update the encoded IP address on TechNet to maintain control of the victims’ machines.

Zox Capabilities

Zox may attempt to get information about running processes on a system in order Run reconnaissance on the system. Zox may use an existing, legitimate external Web service to host information that points to additional command and control infrastructure. 

• Zox may attempt to get information about running processes, common software/applications, and system information (including OS and hardware versions) on a system. This information may be used to determine whether or not to fully infect the target and/or attempt specific actions. Zox may also enumerate files and directories, or search for certain information within a file system.
• Zox allows an adversary to take control of a system and send commands to it over the Web. The malware may also exploit software vulnerabilities to elevate privileges and transfer tools or files between systems.
• Zox may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. Zox may use an existing, legitimate external Web service to host information that points to additional command and control infrastructure. Zox may post content, known as a dead drop resolver, on Web services with embedded domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
• Zox may use various techniques to hide their presence on a system and to communicate with their victims. These techniques include using the Windows command prompt, steganography, and deleting files that could be used to detect their activity.

Ways to Mitigate Zox Malware Attacks Capabilities

• The Zox can be mitigated by using system and network discovery techniques to identify and track the adversary's movements. Data and events should be analyzed as part of a larger picture to determine what other activities the adversary may be planning.
• The Zox can be mitigated by detecting and monitoring unusual activity on endpoint systems, including suspicious processes and external network connections. Additionally, utilities that do not normally occur may be indicative of an attempted attack.
• The Zox can be difficult to detect, as it can be obfuscated to avoid detection. However, it is possible to detect the malicious activity that the malware causes. Monitoring process activity, command-line arguments, and Windows system management tools can help to identify the presence of the Zox malware.
• The Zox can be mitigated by monitoring for command-line deletion functions, restricting scripting for normal users, and analyzing network data for uncommon data flows.

About Apt17 Threat Group

Chinese state-sponsored cyberespionage groups Leviathan and Axiom, active since at least 2009 and 2008 respectively, have targeted a variety of sectors across the US, Canada, Europe, the Middle East, and Southeast Asia. Apt17, another China-based threat group, has also conducted network intrusions against US government entities and various companies and organizations.