BUBBLEWRAP

Bubblewrap is a malware that was observed being uploaded by the admin@338 threat group to their Dropbox account. The malware is a second stage backdoor that can communicate using HTTP, HTTPS, or a SOCKS proxy and is set to run when the system boots. The admin@338 group has been previously seen using Bubblewrap and uses a first stage malware called LOWBALL to collect information about interesting targets before delivering the second stage malware. The particular sample of Bubblewrap analyzed connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the group but had not been active for some time prior to this recent activity. Upon execution, the malware uses a specific command to rename a file to audiodg.exe and start it, as well as collect system information and download data from the D: drive. Bubblewrap is a dangerous malware that can steal personal information from infected systems and disrupt operations. It is important for individuals and organizations to be vigilant in protecting their systems from malware such as Bubblewrap by avoiding suspicious downloads, emails, or websites, and regularly updating antivirus software. In addition, it is recommended to back up important data to minimize the impact of a potential malware attack.