Trojanized SonicWall NetExtender app exfiltrates VPN credentials

Unknown attackers have trojanized SonicWall’s SSL-VPN NetExtender application, the company has warned on Monday, and have been tricking users into downloading it from a lookalike site(s?).

The trojanized SonicWall NetExtender installer

SonicWall NetExtender is an SSL‑VPN client used by companies to give remote employees secure access to their internal networks.

SonicWall does not mention how prospective victims were lured to the lookalike sites impersonating the company and offering the compromised version of NetExtender, but said that the application was digitally signed by “CITYLIGHT MEDIA PRIVATE LIMITED.”

The threat actors modified two component files of the legitimate NetExtender installer: NeService.exe (with an invalid digital signature), and NetExtender.exe (with no digital signature).

NeService.exe, a Windows service used by the legitimate NetExtender application, uses a function to check the digital certificates of NetExtender components and, depending on the result of the check, it allows the program to execute or not.

“In the malicious installer, this file is patched at all locations where the function results are evaluated. The patch bypasses the check, allowing execution to continue regardless of validation results,” SonicWall says.

NetExtender.exe was modified with the code that sends the VPN configuration information – username, password, domain, etc. – over port 8080 to a remote server, located at 132.196.198.163:

The data exfiltrating code (Source: SonicWall)

The digital certificate used has been revoked

The “deceptive” campaign was spotted by SonicWall and Microsoft’s threat analysts, but no details about the nature of the deception used have been shared.

Was this a targeted email campaign? Were victims redirected to the site(s) by malicious adverts or search results? We’ve asked SonicWall for more details on that front, and we’ll update this article when we hear back from them.

The impersonating websites have been taken down and the digital certificate used to sign the trojanized installer has been revoked, the company confirmed, and urged users to always download SonicWall applications either from sonicwall.com or mysonicwall.com.

The trojanized installer is now detected and removed by Microsoft Defender Antivirus and SonicWall’s Capture ATP multi-engine sandbox, they added.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!