Trojanized SonicWall NetExtender: A Deceptive Attack Targeting VPN Users

A malicious campaign has been identified involving a deceptive, Trojanized version of SonicWall’s SSL VPN NetExtender application. This malicious app mimics the legitimate software used to allow remote users to securely connect to company networks. The fraudulent app has been modified to steal VPN credentials, including usernames, passwords, and domain information, by sending them to a remote server.

Severity Level: High

Threat Details

The attackers have altered a legitimate version of the NetExtender installer (version 10.3.2.27) to create a Trojanized version that is signed with a malicious digital certificate from “CITYLIGHT MEDIA PRIVATE LIMITED.” This modified installer was then hosted on a fake website designed to look like the official SonicWall website, tricking users into downloading the malicious software.

The threat actor incorporated modifications in the following NetExtender installer files:

1. NeService.exe (modified version with no valid digital signature)
2. NetExtender.exe (modified version with no valid digital signature)

The malicious components perform the task of stealing VPN configuration data when users try to establish a remote connection via the NetExtender application.

Technical Mechanism

• NeService.exe: This component validates the digital certificates of NetExtender files. In the malicious version, this function has been bypassed, allowing the installer to run despite the absence of a valid certificate.
• NetExtender.exe: Additional code was embedded in this executable to send VPN configuration data (e.g., username, password, and domain) to a remote server once the user initiates a connection. The stolen data is sent over HTTP to a server with IP address 132.196.198[.]163 on port 8080.

Company’s response:

SonicWall, in collaboration with Microsoft, responded quickly to the threat. The impersonating websites have been taken down, and the malicious installer’s digital certificate was revoked.

Recommendations

1. Users must download SonicWall software only from official sources, such as sonicwall[.]com or mysonicwall[.]com, to avoid installing malicious versions.
2. Ensure that endpoint protection software is up-to-date and configured to detect the Trojanized installers.
3. It is recommended to monitor VPN-related traffic, looking for any unusual outbound connections to unknown IP addresses (such as 132.196.198[.]163), particularly those on port 8080.
4. Implement MFA for VPN access to add an additional layer of security, even if login credentials are compromised.
5. Conduct awareness training for employees to recognize phishing sites and avoid downloading software from unofficial sources.
6. Regularly verify the integrity of critical software, such as VPN clients, by checking their digital signatures and ensuring they have not been tampered with.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/211adafe4856259d73484b769e1e8da4b0670626aa773b183bc99329a2e31212/iocs

Source:

• https://www.sonicwall.com/blog/threat-actors-modify-and-re-create-commercial-software-to-steal-users-information

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.