LOWBALL

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
LOWBALL is a sophisticated malware payload that was utilized by a China-based cyber threat group, often referred to as "admin@338". This advanced persistent threat (APT) group used LOWBALL in their operations targeting media organizations in Hong Kong and Taiwan. The malware's first stage allows the group to gather information from victims before delivering a second-stage malware known as BUBBLEWRAP to confirmed targets. LOWBALL is unique in its abuse of Dropbox cloud storage service for command and control (CnC), making it difficult for network defenders to detect its activity. The execution process of LOWBALL involves the malware calling back to a Dropbox account controlled by the attackers. Upon receiving the call-back, the attackers create a file named “[COMPUTER_NAME]_upload.bat” containing commands to be executed on the compromised computer. This method allows the attackers to update the compromised host with new versions of the LOWBALL malware, maintaining control over the infected system. The malware was delivered via spear-phishing emails containing malicious documents exploiting an older vulnerability in Microsoft Office (CVE-2012-0158). In conclusion, LOWBALL represents a significant evolution in malware design and deployment, utilizing cloud storage services to mask its activities and maintain persistence within infected systems. Despite the innovative use of cloud services for CnC, the initial infection vector remains traditional - exploiting known vulnerabilities via spear-phishing emails. The ongoing use of LOWBALL by APT groups underscores the importance of regular system updates and robust cybersecurity measures to mitigate such threats.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the LOWBALL Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets | Mandiant
MITRE
a year ago
The EPS Awakens - Part 2 « Threat Research
CERT-EU
3 months ago
Zoomer Hackers Shut Down the Biggest Extortion Ring of All | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
9 months ago
Leftover Links 29/08/2023: Fukushima Uproar in China