.webp?w=696&resize=696,0&ssl=1 "VPN NetExtender")
A sophisticated cybercriminal campaign has targeted remote workers by distributing a compromised version of SonicWall’s widely used NetExtender SSL VPN client.
According to a joint investigation by SonicWall and Microsoft Threat Intelligence (MSTIC), threat actors are impersonating SonicWall’s official channels and hosting a hacked and modified version of NetExtender 10.3.2.27, the latest official release, designed to steal VPN configuration details.
The malicious installer is digitally signed by “CITYLIGHT MEDIA PRIVATE LIMITED,” a known technique to enhance attack legitimacy.
NetExtender is a vital tool that enables remote employees to securely access company networks from any location, facilitating file uploads, network drive access, and seamless application use, as if they were physically present on the corporate LAN.
The threat actor’s deceptive software not only mimics the genuine application but also includes malicious code modifications intended to siphon sensitive VPN credentials.
Technical Details and Malicious Modifications
For this attack, the cybercriminals altered critical components within the NetExtender installer. Two primary files NeService.exe and NetExtender.exe were tampered with to enable unauthorized data exfiltration.
The NeService.exe file, responsible for validating digital certificates of NetExtender components, was patched so that execution continues even in the event of validation failures.
This bypasses critical security checks, allowing the malicious application to run unimpeded. The NetExtender.exe file was injected with additional code designed to harvest VPN configuration data, including usernames, passwords, and domain information.
Once the user enters their credentials and clicks the “Connect” button, the malicious code performs a bogus validation before transmitting stolen data to a remote server at IP address 132.196.198.163 over port 8080.
This direct exfiltration poses severe risks, as attackers can gain unauthorized access to corporate networks, escalate privileges, and potentially launch further attacks from within.
Security solutions from SonicWall, under the signature GAV: Fake-NetExtender [Trojan], and Microsoft’s TrojanSpy:Win32/SilentRoute.A, detect and block the malicious installer in real time.
The joint effort has resulted in the takedown of impersonating websites and the revocation of the installer’s digital certificate.
Key Mitigation and Safety Recommendations
In response, SonicWall and Microsoft urge caution and recommend downloading SonicWall applications exclusively from official sources such as sonicwall.com or mysonicwall.com.
Both companies have updated their security solutions to proactively detect and block this threat.
SonicWall’s Capture Advanced Threat Protection (Capture ATP) with RTDMI™ and Managed Security Services, alongside Microsoft Defender Antivirus, offer robust real-time protection.
Indicators of Compromise (IOCs):
- SHA256 Hashes:
- d883c067f060e0f9643667d83ff7bc55a218151df600b18991b50a4ead513364 (Malicious NetExtender Installer)
- 71110e641b60022f23f17ca6ded64d985579e2774d72bcff3fdbb3412cb91efd (Malicious NeService.exe)
- e30793412d9aaa49ffe0dbaaf834b6ef6600541abea418b274290447ca2e168b (Malicious NetExtender.exe)
- Network IOC: 132.196.198.163
Organizations and individual users are strongly advised to verify the authenticity of software before installation, remain vigilant for phishing lures, and keep security solutions updated to mitigate this and similar threats.
.webp?resize=1600,900&ssl=1&description=VPN NetExtender - A sophisticated cybercriminal campaign has targeted remote workers by distributing a compromised version of SonicWall’s.){kind=link}