The malicious application was designed to steal a user's VPN configuration, including their username, password, domain, and other information.
SonicWall has urged users to download the NetExtender app from its website
Photo Credit: Pexels/ Sora Shimazaki
SonicWall has issued an advisory that informs customers that a malicious version of its SonicWall SSL VPN NetExtender app is being used to steal VPN configuration and credentials. The company warns that threat actors have modified two files used by the NetExtender VPN application, which is used by several organisations to allow remote users to securely connect to the main network. Microsoft and SonicWall have taken measures to block the spread of the modified versions of the NetExtender application.
In a security advisory issued earlier this week, SonicWall said that it detected the modified version of the NetExtender SSL VPN application in collaboration with Microsoft Threat Intelligence (MSTIC). The malicious version of the app was hosted on a website that allowed users to download the trojanised version of the latest release, version 10.3.2.27.
The NetExtender application files modified by the threat actor
Photo Credit: SonicWall
According to the company, the threat actors digitally signed the trojanised version of the NetExtender app, which allowed it to bypass security checks on Windows. It was signed using a digital certificate issued to "CITYLIGHT MEDIA Private LIMITED".
If a user downloaded the fake version of the SonicWall NetExtender VPN app, it would install two modified applications, "NeService.exe" and "NetExtender.exe". The threat actor's changes to the NeService.exe allowed them to bypass the digital certificate checks performed when the app is loaded.
Meanwhile, the modified NetExtender.exe application would collect details about the user's VPN configuration, including their username, password, domain, and other information. These would be sent to a remote server once the user clicked the Connect button.
SonicWall has updated its malware detection tool and will automatically block the malicious software after identifying it as GAV: Fake-NetExtender (Trojan). Microsoft's Windows Defender software will also detect the trojanised version of the app, which is categorised as "SilentRoute" Trojan ("TrojanSpy:Win32/SilentRoute.A")
The digital certificate used to sign the installer has also been revoked, and the companies worked to take down the websites that were being used to impersonate the NetExtended VPN application. Meanwhile, SonicWall has urged users to download the application from its website instead of using third party sources.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.