BlackCoffee

Description

(Novetta) ZoxPNG is a very simple RAT that uses the PNG image file format as the carrier for data going to and from the C2 server. ZoxPNG supports 13 commands natively. In addition, ZoxPNG has the ability to load and execute arbitrary code from the C2 server providing an almost unlimited feature set. For instance, ZoxPNG provides no functionality for key logging, screen grabbing or file execution. If an attacker required such functionality, the attacker would construct a simple shell-code binary which the ZoxPNG binary could execute thereby expanding the feature set of the Trojan. ZoxPNG does not contain any configuration information. The attacker using ZoxPNG must specify the C2 server address as a command line argument.

Names

Name
BlackCoffee
PNGRAT
ZoxPNG
gresim

Category

Malware

Type

• Backdoor

Information

• https://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf
• https://www.fireeye.com/current-threats/apt-groups/rpt-apt17.html
• https://www.zdnet.com/article/fireeye-microsoft-wipe-technet-clean-of-malware-hidden-by-hackers/
• http://malware-log.hatenablog.com/entry/2015/05/18/000000_1

Mitre Attack

• https://attack.mitre.org/software/S0069/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:BLACKCOFFEE

Other Information

Uuid

12cdfcf1-3407-4838-9e6f-aae75fd69dac

Last Card Change

2022-12-29