Cybersecurity researchers have uncovered a sophisticated malware campaign targeting SonicWall’s SSL VPN NetExtender users through a meticulously crafted Trojanized version of the legitimate remote access software.

The malicious campaign, operating through impersonated websites, distributes a modified version of NetExtender 10.3.2.27 that closely mimics the official SonicWall application while secretly harvesting VPN credentials and configuration data from unsuspecting users.

The threat actors have employed advanced social engineering techniques by creating fake websites that host the malicious installer, complete with a deceptive digital signature from “CITYLIGHT MEDIA PRIVATE LIMITED.”

This sophisticated approach enables the malware to bypass initial security scrutiny while maintaining the appearance of legitimate software distribution.

The campaign specifically targets organizations relying on SonicWall’s NetExtender for secure remote access, potentially compromising entire corporate networks through stolen VPN credentials.

The malware’s primary objective centers on credential theft, with the modified NetExtender application secretly transmitting usernames, passwords, domain information, and other sensitive VPN configuration details to a command-and-control server located at IP address 132.196.198.163 over port 8080.

SonicWall analysts identified this threat in collaboration with Microsoft Threat Intelligence (MSTIC), leading to rapid response measures including website takedowns and certificate revocation.

The impact of this campaign extends beyond individual credential theft, as compromised VPN access can provide threat actors with a foothold into corporate networks, enabling lateral movement and potential data exfiltration.

Organizations using SonicWall NetExtender face significant risks if employees unknowingly install the malicious version, as the trojan operates silently alongside legitimate VPN functionality.

Certificate Validation Bypass Mechanism

The malware demonstrates sophisticated evasion techniques through its manipulation of the NeService.exe component, which serves as the NetExtender Windows service responsible for validating digital certificates of application components.

The threat actors implemented strategic code patches at multiple locations where certificate validation results are evaluated, effectively bypassing the security mechanism that would normally prevent execution of unsigned or improperly signed components.

This illustrates the original function used to validate application components, while the below figure demonstrates the specific patching technique employed by the threat actors.

The malicious modifications ensure that regardless of certificate validation results, the application continues execution, allowing the compromised NetExtender.exe to function normally while secretly exfiltrating data.

This bypass mechanism represents a critical security vulnerability exploitation, as it undermines the fundamental trust model that relies on digital signature verification to ensure software integrity and authenticity.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now

The post Threat Actors Distribute Hacked Version of SonicWall’s SSL VPN NetExtender to Steal Sensitive Data appeared first on Cyber Security News.