SonicWall has issued an alert about an active campaign distributing a trojanized version of its NetExtender SSL VPN client designed to steal user information, specifically VPN credentials and configuration details. This fake NetExtender app closely mimics the legitimate version 10.3.2.27 but has been modified by threat actors to exfiltrate sensitive data to a remote server.
Details of the Attack
The attackers altered two main components of the NetExtender installer. The NeService.exe Windows service validates digital certificates of NetExtender components to ensure integrity. The attackers patched this executable to bypass certificate validation, allowing the malicious installer to run despite having an invalid or fake digital signature.
The NetExtender.exe file was injected with malicious code that activates when a user clicks the “Connect” button. It captures VPN configuration data such as username, password, domain, and other details, then sends this information to a remote server at IP address 132.196.198.163 over port 8080.
The trojanized installer is signed with a fraudulent certificate issued to “CITYLIGHT MEDIA PRIVATE LIMITED,” which is not affiliated with SonicWall. This signature helped the malicious installer bypass some basic security checks. The fake NetExtender was distributed via spoofed websites impersonating SonicWall’s official download portals. These sites have since been taken down following coordinated action by SonicWall and Microsoft. The campaign likely used techniques such as SEO poisoning, malvertising, and social media posts to lure victims into downloading the fake app.
Response and Recommendations
SonicWall, in collaboration with Microsoft Threat Intelligence (MSTIC), quickly took down the fake websites and revoked the fraudulent digital certificate used to sign the trojanized installer. Both SonicWall’s Capture ATP and Microsoft Defender Antivirus now detect and block this malicious installer under names like Fake-NetExtender Trojan and TrojanSpy:Win32/SilentRoute.A.
Users are strongly advised to only download NetExtender and other SonicWall software from official sources such as sonicwall.com or mysonicwall.com to avoid falling victim to such scams. Administrators should verify the digital signature of their NetExtender executable files; if the signature shows “CITYLIGHT MEDIA PRIVATE LIMITED,” it indicates the infected version, which should be removed immediately.
