SonicWall Says Malicious NetExtender Client Used to Steal VPN Credentials

SonicWall has issued an advisory that informs clients {that a} malicious model of its SonicWall SSL VPN NetExtender app is getting used to steal VPN configuration and credentials. The firm warns that menace actors have modified two information utilized by the NetExtender VPN software, which is utilized by a number of organisations to permit distant customers to securely join to the primary community. Microsoft and SonicWall have taken measures to block the unfold of the modified variations of the NetExtender software.

SonicWall NetExtender VPN Application Was Digitally Signed By Threat Actors

In a safety advisory issued earlier this week, SonicWall mentioned that it detected the modified model of the NetExtender SSL VPN software in collaboration with Microsoft Threat Intelligence (MSTIC). The malicious model of the app was hosted on a web site that allowed customers to obtain the trojanised model of the most recent launch, model 10.3.2.27.

The NetExtender software information modified by the menace actor
Photo Credit: SonicWall

According to the corporate, the menace actors digitally signed the trojanised model of the NetExtender app, which allowed it to bypass safety checks on Windows. It was signed utilizing a digital certificates issued to “CITYLIGHT MEDIA Private LIMITED”.

If a consumer downloaded the faux model of the SonicWall NetExtender VPN app, it could set up two modified functions, “NeService.exe” and “NetExtender.exe”. The menace actor’s adjustments to the NeService.exe allowed them to bypass the digital certificates checks carried out when the app is loaded.

Meanwhile, the modified NetExtender.exe software would acquire particulars concerning the consumer’s VPN configuration, together with their username, password, area, and different data. These can be despatched to a distant server as soon as the consumer clicked the Connect button.

SonicWall has up to date its malware detection software and can mechanically block the malicious software program after figuring out it as GAV: Fake-NetExtender (Trojan). Microsoft’s Windows Defender software program can even detect the trojanised model of the app, which is categorised as “SilentRoute” Trojan (“TrojanSpy:Win32/SilentRoute.A”)

The digital certificates used to signal the installer has additionally been revoked, and the businesses labored to take down the web sites that had been getting used to impersonate the NetExtended VPN software. Meanwhile, SonicWall has urged customers to obtain the applying from its web site as a substitute of utilizing third celebration sources.