BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)

BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.(Citation: Microsoft GALLIUM December 2019)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	1
BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	1
BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2