BlackMould

Malware updated 7 months ago (2024-05-04T19:35:38.138Z)

Download STIX

Preview STIX

BlackMould is a type of malware, specifically a native web shell, that has been observed in use by GALLIUM, a China-aligned intrusion group. This malicious software is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without the user's knowledge. BlackMould is based on the China Chopper web shell and is particularly tailored for servers running Microsoft IIS. This malware was identified and named by Microsoft. The primary function of BlackMould is to target network devices, including routers, Internet-exposed servers, and edge devices. It achieves this by leveraging vulnerabilities in these systems, often referred to as "zero-day vulnerabilities". These are previously unknown flaws in software that can be exploited before they are discovered and fixed by the software's creators. By exploiting such vulnerabilities, BlackMould can infiltrate and take control of a system. Once inside a system, BlackMould has the capability to perform various tasks on the victim host. Although the specific functionalities were not detailed in the provided information, typical malware actions may include stealing personal information, disrupting operations, or holding data hostage for ransom. The activities of BlackMould underscore the importance of robust cybersecurity measures, including regular system updates and patches, to protect against such threats.

Description last updated: 2023-09-22T09:38:47.065Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
China Chopper is a possible alias for BlackMould. China Chopper is a notorious malware, a harmful program designed to exploit and damage computer systems. It has been primarily used by the threat actor group BRONZE UNION to establish connections to China Chopper web shells on compromised servers, as seen in multiple instances where its code was fou	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Iis

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The GALLIUM Threat Actor is associated with BlackMould. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tar	Unspecified	2

Source Document References

Information about the BlackMould Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
	MITRE	2 years ago	GALLIUM: Targeting global telecom