SonicWall has issued a warning about a campaign distributing a tampered version of its NetExtender application to steal user credentials.
NetExtender is an SSL VPN tool that allows remote users to securely access enterprise resources. It supports file transfers, network drive access, and other remote capabilities.
According to SonicWall, the company worked with Microsoft Threat Intelligence (MSTIC) to uncover a deceptive campaign aimed at spreading a hacked version of the NetExtender application. This altered version closely resembles the legitimate SonicWall software.
The trojanized version was built using the latest official release, version 10.3.2.27, and is signed with a certificate issued to Citylight Media Private Limited.
SonicWall revealed that the malicious application was designed to collect information about the user’s VPN setup and send it to a remote server.
The attacker modified two parts of the NetExtender installer: the NeService executable and the NetExtender client itself. In NeService, the attacker altered a function responsible for validating digital certificates, allowing all files to execute regardless of whether validation passed or failed.
In the NetExtender client, the malicious code activates when the user clicks the ‘Connect’ button. At this point, the application validates the VPN configuration and sends the information such as username, password, domain, and other details to the attacker’s server.
SonicWall and Microsoft have taken down the websites used to distribute the fake installer and have revoked the digital certificate used to sign it. Both companies have updated their security tools to detect this tampered version of NetExtender.
SonicWall advises users to only download applications from official sources like sonicwall.com or mysonicwall.com to avoid falling victim to such attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
