Hackers are distributing trojanised versions of SonicWall’s SSL VPN NetExtender to steal login credentials from unsuspecting victims. The campaign is specifically targeting the VPN’s users on search engines, including Google and Bing, using techniques like spearphishing, SEO poisoning, malvertising, or social media posts.
SonicWall has acknowledged the campaign and claims that its security products will flag the fake installer as malicious. The malicious payload being distributed by the fake installers is called SilentRoute by Microsoft, which helped detect the campaign.
The malware works by modifying two components — NeService.exe and NetExtender.exe — from the original installer. These components are modified to bypass any digital certificate validation that other NetExtender components use and continue installation.
Once installed, the program waits for the user to enter VPN configuration details and press the connect button before sending the stolen information to 132.196.198[.]163 over port 8080. The stolen information includes username, password, domain, and more data points that a threat actor can use to access a company’s network without raising any alarms or otherwise leaving indications of a traditional breach.
The malicious installers are digitally signed by “CITYLIGHT MEDIA PRIVATE LIMITED.” This certificate has since been revoked. As for distribution, the fake installer was impersonating the latest version of SonicWall’s VPN, version 10.3.2.27, and was being handed out by fake sites impersonating SonicWall’s official sources.
SonicWall and Microsoft have taken down fake websites that were distributing the malicious installers. There are no mitigation measures or updates to install, and both SonicWall and Microsoft’s antivirus solutions will detect the malicious files. However, SonicWall strongly recommends only installing its application from trusted sources as mentioned in its advisory.
In the News: Millions of Brother printers found vulnerable to hacks
