BUBBLEWRAP Trojan Description

The BUBBLEWRAP malware is a backdoor Trojan that was reported to the wide cybersecurity community in August 2015. The BUBBLEWRAP Backdoor Trojan is distributed by exploiting platforms like Dropbox and social media servers. The BUBBLEWRAP Trojan is used by an APT (Advanced Persistent Threat) group called "admin@338." The aforementioned collective is infamous for attacks on Hong Kong-based media outlets in 2015 and 2016. The admin@338 APT is reported to target NGOs, newspapers, radio and television companies.

The BUBBLEWRAP malware is downloaded to computers via a Trojan Downloader called LOWBALL, which is developed by the admin@338 APT as well. The LOWBALL threat is a simple info-grabbing program that can be installed on the targeted devices via macro-enabled Microsoft Word files. LOWBALL is dropped to computers via spear-phishing emails primarily. The LOWBALL program helps the threat actors identify unpatched systems and install the BUBBLEWRAP Backdoor Trojan. The BUBBLEWRAP malware is installed with admin rights and the threat actors gain full access to the compromised machine. The BUBBLEWRAP Trojan may create a hidden system administrator account. The compromised users are not likely to notice anything out of the ordinary. Also, the BUBBLEWRAP Trojan is programmed to communicate with the C2 servers via connections to trusted servers, legitimate Web services and social media. The threat actors behind BUBBLEWRAP can delete data, copy files, terminate and run programs on demand. If you notice irregular file activity and hidden processes in the Task Manager, you should run a complete system scan.

Detection names associated with BUBLEWRAP are listed below:

Downloader.Small!8.B41 (CLOUD)
Win32:ShellCode [Expl]
ELMER Trojan