SonicWall Says Malicious NetExtender Client Used to Steal VPN Credentials

SonicWall has issued an advisory that informs customers that a malicious version of its SonicWall SSL VPN NetExtender app is being used to steal VPN configuration and credentials. The company warns that threat actors have modified two files used by the NetExtender VPN application, which is used by several organisations to allow remote users to securely connect to the main network. Microsoft and SonicWall have taken measures to block the spread of the modified versions of the NetExtender application.

SonicWall NetExtender VPN Application Was Digitally Signed By Threat Actors

In a security advisory issued earlier this week, SonicWall said that it detected the modified version of the NetExtender SSL VPN application in collaboration with Microsoft Threat Intelligence (MSTIC). The malicious version of the app was hosted on a website that allowed users to download the trojanised version of the latest release, version 10.3.2.27.

The NetExtender application files modified by the threat actor
Photo Credit: SonicWall

According to the company, the threat actors digitally signed the trojanised version of the NetExtender app, which allowed it to bypass security checks on Windows. It was signed using a digital certificate issued to "CITYLIGHT MEDIA Private LIMITED".

If a user downloaded the fake version of the SonicWall NetExtender VPN app, it would install two modified applications, "NeService.exe" and "NetExtender.exe". The threat actor's changes to the NeService.exe allowed them to bypass the digital certificate checks performed when the app is loaded.

Meanwhile, the modified NetExtender.exe application would collect details about the user's VPN configuration, including their username, password, domain, and other information. These would be sent to a remote server once the user clicked the Connect button.

SonicWall has updated its malware detection tool and will automatically block the malicious software after identifying it as GAV: Fake-NetExtender (Trojan). Microsoft's Windows Defender software will also detect the trojanised version of the app, which is categorised as "SilentRoute" Trojan ("TrojanSpy:Win32/SilentRoute.A")

The digital certificate used to sign the installer has also been revoked, and the companies worked to take down the websites that were being used to impersonate the NetExtended VPN application. Meanwhile, SonicWall has urged users to download the application from its website instead of using third party sources.