Track Common Adversary Tasks Performed Using BlackMould

 





To know more about it, you can go through my detailed document by clicking here







Overview

BlackMould is a China Chopper-based web shell particularly used for the servers running the Microsoft IIS. It has been exploited by GALLIUM since 2019 for malicious purposes against telecommunication providers.

How Does It Works?

After the successful infiltration of a network, it can easily steal the credentials via common tools and TTPs (Tactics, Techniques, and Procedures) to move laterally across the network which can be further used in moving among the hosts to also execute processes on the other systems. GALLIUM generally use web shells to gain persistence in the target's network in order to drop their second stage malware payloads.

Mitigation

The following methods might help in mitigating the cyber threat:
  • Always maintain web server patching, log audits, and run the the web services with minimum operating system permissions.

  • Regularly update the security services of all the apps and operating systems present in your system.

  • You should also have a forensics-ready network with centralized event logging, file detonation services, as well as updated asset inventories in order to maintain an efficient incident response.

  • Always maintain an updated antivirus and enabled cloud-delivered protection.

  • In order to detect any kind of credential dumping or breach, rely on behavioral detection solutions.








To know more about it, you can go through my detailed document by clicking here























Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)