SonicWall is warning customers that threat actors are distributing a trojanized version of its NetExtender SSL VPN client used to steal VPN credentials.
The fake software, which was discovered by SonicWall's and Microsoft Threat Intelligence (MSTIC) researchers, mimics the legitimate NetExtender v10.3.2.27, the latest available version.
The malicious installer file is hosted on a spoofed website that is made to appear authentic, tricking visitors into thinking they are downloading software from SonicWall.
Although the installer file is not digitally signed by SonicWall, it is signed by "CITYLIGHT MEDIA PRIVATE LIMITED," allowing it to bypass elementary defenses.
Digital signature on the modified file
Source: SonicWall
The goal of the trojanized application is to steal VPN configuration and account credentials and exfiltrate them to the attacker.
SonicWall NetExtender is a remote access VPN client that allows users to securely connect to their organization's internal network from remote locations.
It is specifically designed to work with SonicWall SSL VPN appliances and firewalls, and it's typically used by remote staff of small to medium businesses, IT administrators, and contractors across a broad spectrum of industry types.
SonicWall and Microsoft found two modified binaries of their product distributed by the malicious spoofed sites.
... continue reading