LOWBALL

LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. [1]

ID: S0042
Aliases: LOWBALL
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1043Commonly Used PortLOWBALL command and control occurs via HTTPS over port 443.[1]
EnterpriseT1105Remote File CopyLOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.[1]
EnterpriseT1071Standard Application Layer ProtocolLOWBALL command and control occurs via HTTPS over port 443.[1]
EnterpriseT1102Web ServiceLOWBALL uses the Dropbox cloud storage service for command and control.[1]

Groups

Groups that use this software:

admin@338

References