S0042 LOWBALL
LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. 1
| Item | Value |
|---|---|
| ID | S0042 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | LOWBALL command and control occurs via HTTPS over port 443.1 |
| enterprise | T1105 | Ingress Tool Transfer | LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | LOWBALL uses the Dropbox cloud storage service for command and control.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0018 | admin@338 | 1 |