Openhunting Threat Library

LOWBALL

LOWBALL
(Type: Backdoor, Exfiltration)

(FireEye) This backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage service to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.

[News Analysis] Trends:

Total Trend: 2

Trend Per Year
1
2015
1
2019


Trend Per Month
1
Dec 2015
1
Aug 2019



[News Analysis] News Mention Another Threat Name:

5 - HTML5 Encoding7 - LOWBALL5 - Makadocs5 - MiniDuke5 - RogueRobinNET5 - RokRAT2 - BUBBLEWRAP2 - TEMPER PANDA


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
0/36
persistence
0/113
privilege escalation
0/96
defense evasion
0/184
credential access
0/63
discovery
0/44
lateral movement
0/22
collection
0/37
command and control
3/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1071.001
Application Layer Protocol : Web Protocols
T1105
Ingress Tool Transfer
T1102.002
Web Service : Bidirectional Communication


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

An Overview of Public Platform C2’s

2019-08-12 by Kindred Security from Kindred Security

China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets

2015-12-01 by FireEye Threat Intelligence from FireEye

Basic Information (Credit @etda.or.th)

Tool: LOWBALL

Names: LOWBALL

Description: (FireEye) This backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage service to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.

Category: Malware

Type: Backdoor, Exfiltration

Information: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

Mitre-attack: https://attack.mitre.org/software/S0042/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:lowball

Last-card-change: 2020-04-23

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1071.001
APPLICATION LAYER PROTOCOL : WEB PROTOCOLS
lowball command and control occurs via https over port 443.
T1105
INGRESS TOOL TRANSFER
lowball uses the dropbox api to request two files, one of which is the same file as the one dropped by the malicious email attachment. this is most likely meant to be a mechanism to update the compromised host with a new version of the lowball malware.
T1102.002
WEB SERVICE : BIDIRECTIONAL COMMUNICATION
lowball uses the dropbox cloud storage service for command and control.