LOWBALL

Lowball is a type of malware, or malicious software, designed to exploit and damage computer systems. It was potentially utilized by a China-based cyber threat group, known as "admin@338" in some circles, which FireEye tracks as an uncategorized advanced persistent threat (APT) group. The group used Lowball during its activities in Hong Kong, despite differing sponsorship, emphasizing the continued priority of penetrating Hong Kong- and Taiwan-based media organizations for China-based threat groups. The malware was delivered via email messages containing malicious documents, exploiting older vulnerabilities in Microsoft Office. Once inside the system, Lowball allowed the group to collect information from victims and then deliver a second stage malware called Bubblewrap after verifying the targets' value. Lowball abuses the Dropbox cloud storage service for command and control (CnC). After infecting a system, the malware calls back to the Dropbox account, where the attackers create a file containing commands to be executed on the compromised computer. This mechanism is likely meant to update the compromised host with a new version of the Lowball malware. The use of legitimate cloud storage services like Dropbox helps mask the malware's activity from network defenders, demonstrating its sophistication. The impact of Lowball was felt by Change Healthcare, which reported a hacking incident involving the malware to federal regulators as a HIPAA breach affecting 500 individuals. This was initially seen as a placeholder estimate, leading to questions about whether Change Healthcare had lowballed its first breach report. In a different context, the term "lowball" was associated with fraudulent activities by health insurers, such as when New York Attorney General Andrew Cuomo sued a company in 2008 for providing low estimates for medical services. Despite these challenges, companies continue to navigate cybersecurity threats, with some even beating lowball guidance in their second quarter earnings.