Think before you download – a trojanized version of SonicWall’s NetExtender is being used to steal sensitive information.
SonicWall, in collaboration with Microsoft Threat Intelligence (MSTIC), has found a trojanized version of its official SonicWall NetExtender software.
This software works like a VPN to securely connect and run applications on a company network, so that sensitive company data remains secure and hidden from hackers.
The website impersonating the NetExtender tool is hosting a tool that looks identical to SonicWall’s original product, NetExtender version 10.3.2.27 (the latest release version).
The unknown threat actor has “added code in the installed binaries of the fake NetExtender so that information related to VPN configuration is stolen and sent to a remote server.”
This means that the threat actor has information related to the VPN and can access sensitive information such as usernames, passwords, or network details.
Hackers could use this information to break into the company’s network, exploit vulnerabilities, and steal sensitive data.
The threat actor that spoofed SonicWall’s product did so by modifying component files that are part of the NetExtender installer to “execute the application and send configuration information to a remote server,” SonicWall said.
The following modified components are:
- NeService.exe (Modified file; digital signature is invalid)
- NetExtender.exe (Modified file; no digital signature)
This file, NeService.exe, is a service used by the NetExtender application to confirm the digital certificates of NetExtender components.
When these components are validated, the program will execute, or it will present the user with a “validation failure message” and exit the application.
“In the malicious installer, this file is patched at all locations where the function results are evaluated. The patch bypasses the check, allowing execution to continue regardless of validation results,” SonicWall said.
In the modified NetExtender.exe file, additional malicious code is introduced into the fake NetExtender software. Once the VPN configuration details are inputted and connected, the “malicious code performs its own validation before sending the data to the remote server.”
Details such as usernames and passwords are then sent to a remote server with the IP address 132.196.198.163 over port 8080.
While MSTIC and SonicWall have quickly revoked the installer’s digital rights, the cybersecurity company urges people to think before they download SonicWall applications from websites other than trusted providers.
Your email address will not be published. Required fields are markedmarked