SonicWall discovered a sophisticated cybercriminal campaign that targeted enterprise users with a Trojanized version of their well-known SSL VPN NetExtender product in collaboration with Microsoft Threat Intelligence Center (MSTIC).
This campaign cleverly impersonates the legitimate SonicWall NetExtender download portal, delivering a weaponized installer built from version 10.3.2.27, the latest official release of the application.
The compromised installer is distributed from spoofed websites and, notably, is digitally signed with a certificate from “CITYLIGHT MEDIA PRIVATE LIMITED” to increase its credibility.
Attackers Impersonate Official SonicWall NetExtender Website
NetExtender is widely used by organizations to grant remote users secure, encrypted access to internal networks, allowing them to run enterprise applications, transfer files, and connect to network resources just as if they were physically present in the office.
The Trojanized NetExtender, however, has been engineered to silently siphon critical VPN configuration data, including usernames, passwords, and domains, to an attacker-controlled command and control (C2) server.
Technical analysis reveals that the threat actors have surgically modified two core components of the NetExtender installer.
The first, NeService.exe, is responsible for running as a Windows service and performs digital certificate verification for installed NetExtender components.
Modified Binaries Exfiltrate VPN Credentials
In the malicious version, all validation checks in this binary have been patched to bypass security measures, enabling the execution of tampered components regardless of certificate status.
The altered NetExtender.exe contains additional malicious code, designed to intercept user-provided VPN login details upon connection and transmit them to the remote host at IP address 132.196.198.163 over port 8080, further compromising the integrity of the affected network environments.
Both SonicWall and Microsoft have acted rapidly to disrupt the attack infrastructure.
The impersonating websites hosting the rogue NetExtender have been taken down, and the digital certificate used to sign the malicious installer has been revoked to prevent further exploitation.
Both companies’ security solutions now detect and block the Trojanized software: SonicWall’s threat detection identifies it as “Fake-NetExtender (Trojan)” (GAV), while Microsoft Defender Antivirus flags it as “TrojanSpy:Win32/SilentRoute.A”.
To mitigate the threat, users are strongly advised to download SonicWall applications solely from trusted sources such as sonicwall.com or mysonicwall.com.
According to the Report, SonicWall Capture ATP with RTDMI™ and Managed Security Services can detect and quarantine the malicious installer, offering ongoing protection from this and similar attacks.
This campaign underscores the persistent risk posed by supply chain and impersonation attacks. Organizations are urged to double down on verification of download sources and to maintain rigorous endpoint monitoring to prevent credential theft and subsequent breaches.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| SHA256 | d883c067f060e0f9643667d83ff7bc55a218151df600b18991b50a4ead513364 | Malicious NetExtender Installer |
| SHA256 | 71110e641b60022f23f17ca6ded64d985579e2774d72bcff3fdbb3412cb91efd | Malicious NEService.exe |
| SHA256 | e30793412d9aaa49ffe0dbaaf834b6ef6600541abea418b274290447ca2e168b | Malicious NetExtender.exe |
| Network | 132.196.198.163 | Attacker Command and Control (C2) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
