Skip to content

S0564 BlackMould

BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.1

Item Value
ID S0564
Associated Names
Version 1.0
Created 14 January 2021
Last Modified 23 March 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BlackMould can send commands to C2 in the body of HTTP POST requests.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell BlackMould can run cmd.exe with parameters.1
enterprise T1005 Data from Local System BlackMould can copy files on a compromised host.1
enterprise T1083 File and Directory Discovery BlackMould has the ability to find files on the targeted system.1
enterprise T1105 Ingress Tool Transfer BlackMould has the ability to download files to the victim’s machine.1
enterprise T1082 System Information Discovery BlackMould can enumerate local drives on a compromised host.1

Groups That Use This Software

ID Name References