Deobfuscating a Dropper for a ZLoader Trojan Variant

greggmh123 · April 2021

Regarding this article, https://www.secplicity.org/2021/04/01/deobfuscating-a-dropper-for-a-zloader-trojan-variant/, was the person who received the initial email SUPPOSED to be able to receive suspicious emails, or was this person just a general user at WatchGuard? The reason I ask is that no general user should be receiving emails with attached VBS files. Your article even notes, "Enable or implement e-mail filtering for malicious message bodies and attachments, with an emphasis on attachments."

WHY did this person even receive this email? What if they fell for it? Would WatchGuard be the next company in the news about a massive breach, putting all of us and our clients at risk?

Gregg

james.carson · April 2021

Hi Greg,

The group that writes those articles works in a confined test environment. They research malware, spam, and other security exploits.

Nothing they're doing is on a network that touches customer information/data. It's all kept segregated.

If you have any questions specific for that team, I'd suggest using the feedback forms that are in each article.

Bruce_Briggs · April 2021

@James_Carson
The reason for the question is this, from the 1st part of the article:
"On March 18th, 2021, the DNSWatch Tailored Analysis Team received an email from an internal WatchGuard employee who deemed the email as suspicious. The initial email included an attachment with the title Attachment_57904. A DNSWatch Analyst performed an initial assessment of the file in search of any malicious indicators or behaviors only to discover that the file was a heavily obfuscated Visual Basic Script (.vbs)."

This suggests that the .vbs file came to the WatchGuard employee via normal e-mail, perhaps to a WG e-mail account.

james.carson · April 2021

Hi @Bruce_Briggs

I'll send a request to that team to see if they can elaborate on what their process is. My assumption is that it was reported via our internal IT system.

RyanEstes · April 2021

Hi @Bruce_Briggs and @Greggmh123 !

Gregg's initial post was received in my email inbox and I was made aware that this was also a forum post. Your concerns are loud and clear and completely understandable considering what was in the post. You can find my response below.

Hi Gregg!

Thanks for reaching out about the article. You bring up some excellent questions and I think I can clarify all of them.

The email explained in the article was sent to a general user from WatchGuard. The Visual Basic Script was not an attachment to the e-mail message. Rather, it was hosted in a password-protected archive at a Google Drive hyperlink contained in the email body. There was a communication discrepancy when transferring the file from the analysis team to myself which led me to believe it was an attachment. Thankfully, you made me aware of the issue and I immediately changed the article to reflect this notion.

If this file was sent as an attachment, it would have been caught by our email filters. Additionally, the article is mostly a testament to the ongoing anti-phishing training we perform, and the email was likely caught due to these ongoing efforts. Nevertheless, the signature of the malware was in our detection systems at the time of analysis. I wrote this post to also show the interesting ways malware authors attempt to evade network defenses.

I hope you found it interesting and if you have any other questions, I'd be happy to answer them as well. If not, have a great Easter weekend!

Take care,

Ryan

Let me know if there are any further questions I can answer!

-Ryan

greggmh123 · April 2021

I emailed Ryan on April 2nd right after I made that post and suggested he also come here to explain, which he did on the 4th as you can see above.

Deobfuscating a Dropper for a ZLoader Trojan Variant

Comments