BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BlackMould can send commands to C2 in the body of HTTP POST requests.[1] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
BlackMould can run cmd.exe with parameters.[1] |
Enterprise | T1005 | Data from Local System |
BlackMould can copy files on a compromised host.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
BlackMould has the ability to find files on the targeted system.[1] |
|
Enterprise | T1105 | Ingress Tool Transfer |
BlackMould has the ability to download files to the victim's machine.[1] |
|
Enterprise | T1082 | System Information Discovery |
BlackMould can enumerate local drives on a compromised host.[1] |