LOWBALL Trojan

The LOWBALL cyber-threat is classified as a Trojan Downloader that is produced by a well-known APT (Advanced Persistent Threat) team dubbed 'admin@338.' The tactic employed by admin@338 is relatively simple. They send spear phishing emails to a wide range of organizations and wait for an employee to open the attached Microsoft Word file. The text document loads a macro that drops the LOWBALL Trojan to the PC. The LOWBALL Trojan reads general information on the device and maps the computer network. The operation is performed via a BATCH script called '[COMPUTER_NAME]_upload.bat' that produces an output called [COMPUTER_NAME]_download. The output is sent to the 'Command and Control' (C2) servers that are hosted on Dropbox. The LOWBALL malware uses the Dropbox API with a hardcoded authentication token to hide its activity from AV tools. The next step that the hackers make is to identify vulnerable systems and send a new BATCH script with instructions on what file is to be downloaded and executed on the infected host.

The LOWBALL Trojan Downloader can be used to deliver various harmful programs. LOWBALL can drop DDoS modules, ransomware, crypto mining tools, riskware, adware, info-stealers and keyloggers to the compromised devices. The group using LOWBALL may rent access to the infected machines to third parties and facilitate the wide distribution of ransomware. PC users are advised to perform security scans regularly and update their firmware accordingly. Detection alerts linked to the LOWBALL Trojan Downloader can be found below:

DOC/Exploit
Exp.OLE.MNKIT
Exp/20120158-A
Exploit.CVE-2012-0158.Gen
Exploit.Msword.Cve!c
Malware (ai Score=100)
TROJ_EXPLOYT.PJV
Trojan.Mdropper
Trojan[Exploit]/Office.CVE-2012-0158
Word.Exploit.Cve-2012-0158.Wopx