SonicWall Warns: Trojanized NetExtender VPN Client Stealing Credentials in Active Campaign

SonicWall, in collaboration with Microsoft Threat Intelligence (MSTIC), has uncovered a sophisticated campaign that distributes a Trojanized version of SonicWall’s NetExtender VPN client, masquerading as the legitimate software. The modified installer, though visually indistinguishable from the original, silently exfiltrates VPN credentials and configuration details to a remote server.

“SonicWall has identified a deceptive campaign to distribute a hacked and modified version of SonicWall’s SSL VPN NetExtender application that closely resembles the official SonicWall NetExtender software,” the joint report reveals.

The compromised installer mimics version 10.3.2.27 of the NetExtender client—the latest official release—and is even digitally signed by a third-party entity, “CITYLIGHT MEDIA PRIVATE LIMITED.” Despite the signature, both SonicWall’s Gateway Anti-Virus (GAV) and Microsoft Defender detect the fake installer as Fake-NetExtender [Trojan] and TrojanSpy:Win32/SilentRoute.A, respectively.

Once executed, the malicious software performs similarly to the authentic client, allowing victims to connect to their corporate VPNs. However, it secretly modifies critical components to bypass security validations and steal sensitive connection data.

Two primary components of the NetExtender installation were modified:

• NeService.exe: This Windows service normally validates digital certificates for NetExtender’s integrity. In the malicious version, attackers patched the service to bypass certificate validation checks, allowing corrupted or tampered files to run without triggering any warnings. “The patch bypasses the check, allowing execution to continue regardless of validation results,” the report details.
• NetExtender.exe: The attackers injected additional code that activates once a user attempts to connect to a VPN. This code siphons username, password, domain, and other VPN configuration details, sending them to a hardcoded IP address: 132.196.198.163 over port 8080. “Once the VPN configuration details are entered and the ‘Connect’ button is clicked… the data is sent to the remote server,” researchers explain.

Upon discovery, SonicWall and Microsoft took swift action to:

• Take down the impersonating websites
• Revoke the fraudulent digital certificate
• Deploy threat signatures in their respective security solutions

Users are now strongly advised to download NetExtender only from SonicWall’s official portals:

• https://www.sonicwall.com
• https://www.mysonicwall.com

Related Posts:

• SonicWall Patches Multi Vulnerabilities in NetExtender VPN Client
• NetSPI Details Multiple Local Privilege Escalation Vulnerabilities in SonicWall NetExtender
• SonicWall Issues Urgent Patch for Critical Firewall Vulnerability (CVE-2024-40766)