LOWBALL

LOWBALL is a sophisticated malware payload that was utilized by a China-based cyber threat group, often referred to as "admin@338". This advanced persistent threat (APT) group used LOWBALL in their operations targeting media organizations in Hong Kong and Taiwan. The malware's first stage allows the group to gather information from victims before delivering a second-stage malware known as BUBBLEWRAP to confirmed targets. LOWBALL is unique in its abuse of Dropbox cloud storage service for command and control (CnC), making it difficult for network defenders to detect its activity. The execution process of LOWBALL involves the malware calling back to a Dropbox account controlled by the attackers. Upon receiving the call-back, the attackers create a file named “[COMPUTER_NAME]_upload.bat” containing commands to be executed on the compromised computer. This method allows the attackers to update the compromised host with new versions of the LOWBALL malware, maintaining control over the infected system. The malware was delivered via spear-phishing emails containing malicious documents exploiting an older vulnerability in Microsoft Office (CVE-2012-0158). In conclusion, LOWBALL represents a significant evolution in malware design and deployment, utilizing cloud storage services to mask its activities and maintain persistence within infected systems. Despite the innovative use of cloud services for CnC, the initial infection vector remains traditional - exploiting known vulnerabilities via spear-phishing emails. The ongoing use of LOWBALL by APT groups underscores the importance of regular system updates and robust cybersecurity measures to mitigate such threats.