BlackMould
BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.[1]
ID: S0564
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.0
Created: 14 January 2021
Last Modified: 23 March 2021
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
BlackMould can copy files on a compromised host.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
BlackMould can run cmd.exe with parameters.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
BlackMould can send commands to C2 in the body of HTTP POST requests.[1] |
| Enterprise | T1083 | 文件和目录发现 |
BlackMould has the ability to find files on the targeted system.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
BlackMould can enumerate local drives on a compromised host.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
BlackMould has the ability to download files to the victim's machine.[1] |
|