LOWBALL

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
LOWBALL is a sophisticated malware payload that was utilized by a China-based cyber threat group, often referred to as "admin@338". This advanced persistent threat (APT) group used LOWBALL in their operations targeting media organizations in Hong Kong and Taiwan. The malware's first stage allows the group to gather information from victims before delivering a second-stage malware known as BUBBLEWRAP to confirmed targets. LOWBALL is unique in its abuse of Dropbox cloud storage service for command and control (CnC), making it difficult for network defenders to detect its activity. The execution process of LOWBALL involves the malware calling back to a Dropbox account controlled by the attackers. Upon receiving the call-back, the attackers create a file named “[COMPUTER_NAME]_upload.bat” containing commands to be executed on the compromised computer. This method allows the attackers to update the compromised host with new versions of the LOWBALL malware, maintaining control over the infected system. The malware was delivered via spear-phishing emails containing malicious documents exploiting an older vulnerability in Microsoft Office (CVE-2012-0158). In conclusion, LOWBALL represents a significant evolution in malware design and deployment, utilizing cloud storage services to mask its activities and maintain persistence within infected systems. Despite the innovative use of cloud services for CnC, the initial infection vector remains traditional - exploiting known vulnerabilities via spear-phishing emails. The ongoing use of LOWBALL by APT groups underscores the importance of regular system updates and robust cybersecurity measures to mitigate such threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Fireeye
Apt
Phishing
exploited
Vulnerability
China
Malware
Taiwan
Malware Payl...
Payload
Dropbox
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BUBBLEWRAPUnspecified
1
Bubblewrap is a malware that was observed being uploaded by the admin@338 threat group to their Dropbox account. The malware is a second stage backdoor that can communicate using HTTP, HTTPS, or a SOCKS proxy and is set to run when the system boots. The admin@338 group has been previously seen using
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
admin@338Unspecified
1
Admin@338 is a threat actor or group that has been identified as originating from China and is known for executing cyber-attacks with malicious intent. Tracked by FireEye as an uncategorized Advanced Persistent Threat (APT) group, this actor has been linked to multiple cybersecurity incidents. One n
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2012-0158Unspecified
2
CVE-2012-0158 is a significant vulnerability in the software design and implementation of Microsoft Office, specifically related to the parsing of Rich-text-format (.rtf) files. This flaw was first exploited in spear-phishing attacks where emails contained three different attachments, each exploitin
Source Document References
Information about the LOWBALL Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Zoomer Hackers Shut Down the Biggest Extortion Ring of All | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
a year ago
Leftover Links 29/08/2023: Fukushima Uproar in China
MITRE
a year ago
China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets | Mandiant
MITRE
a year ago
The EPS Awakens - Part 2 « Threat Research