สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency

Report

Home > List all groups > List all tools > List all groups using tool BlackCoffee

Threat Group Cards: A Threat Actor Encyclopedia

Tool: BlackCoffee

Names	BlackCoffee PNGRAT ZoxPNG gresim
Category	Malware
Type	Backdoor
Description	(Novetta) ZoxPNG is a very simple RAT that uses the PNG image file format as the carrier for data going to and from the C2 server. ZoxPNG supports 13 commands natively. In addition, ZoxPNG has the ability to load and execute arbitrary code from the C2 server providing an almost unlimited feature set. For instance, ZoxPNG provides no functionality for key logging, screen grabbing or file execution. If an attacker required such functionality, the attacker would construct a simple shell-code binary which the ZoxPNG binary could execute thereby expanding the feature set of the Trojan. ZoxPNG does not contain any configuration information. The attacker using ZoxPNG must specify the C2 server address as a command line argument.
Information	<https://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf> <https://www.fireeye.com/current-threats/apt-groups/rpt-apt17.html> <https://www.zdnet.com/article/fireeye-microsoft-wipe-technet-clean-of-malware-hidden-by-hackers/> <http://malware-log.hatenablog.com/entry/2015/05/18/000000_1>
MITRE ATT&CK	<https://attack.mitre.org/software/S0069/>
Malpedia	<https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee>
AlienVault OTX	<https://otx.alienvault.com/browse/pulses?q=tag:BLACKCOFFEE>

Last change to this tool card: 29 December 2022

Download this tool card in JSON format

Previous: BlackCat
Next: BlackEnergy

All groups using tool BlackCoffee

Changed	Name	Country	Observed
APT groups
	APT 17, Deputy Dog, Elderwood, Sneaky Panda		2009-Sep 2017
	APT 41		2012-Feb 2023
	Axiom, Group 72		2008-2008/2014
	Hidden Lynx, Aurora Panda		2009-2014
	Leviathan, APT 40, TEMP.Periscope		2013-Jul 2021

5 groups listed (5 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Report incidents

+66 (0)2-123-1227

[email protected]