Cyber Threat: Fake SonicWall VPN App Targets Corporate Credentials
Discover how hackers are using a trojanized SonicWall VPN app to steal corporate credentials. Learn about the threat, its detection, and prevention measures.
TL;DR
Hackers are distributing a fake SonicWall VPN app to steal corporate credentials. The malware, known as SilentRoute, mimics legitimate software to deceive users. SonicWall and Microsoft have taken down malicious sites and provided detection tools.
Main Content
Hackers are deploying a trojanized version of the SonicWall NetExtender SSL VPN app to steal user credentials. The legitimate NetExtender app allows remote users to securely access and use company network resources as if they were on-site.
The malware, dubbed SilentRoute by Microsoft Threat Intelligence (MSTIC), mimics the legitimate software. Users unknowingly install the rogue app, exposing their data to attackers who gain unauthorized access and steal sensitive information.
A fake NetExtender site hosts the trojanized version, signed by “CITYLIGHT MEDIA PRIVATE LIMITED.” This version steals VPN configuration data and sends it to a remote server, as warned by SonicWall. The threat actors modified the following component files, which are part of the NetExtender installer, to execute the application and send configuration information to a remote server:
- NetExtender.exe (Modified file; no digital signature)
- NeService.exe (Modified file; digital signature is invalid)
The SonicWall NetExtender service normally checks the validity of its components’ digital certificates before running. If validation fails, it stops. In the trojanized version, attackers modified the code to bypass these checks, allowing the program to run even if validation fails. They also injected code into NetExtender.exe to steal VPN credentials, such as username, password, and domain, and send them to a remote server (132[.]196.198.163:8080) as soon as the user clicks “Connect.”
SonicWall and Microsoft promptly took down the malicious sites hosting the trojanized NetExtender and revoked its certificate. Users should download the app only from official sources. The malware, dubbed “SilentRoute,” is detected by both SonicWall and Microsoft security tools.
The company also published Indicators of Compromise (IoCs) for this threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
SecurityAffairs – hacking, SonicWall
For more details, visit the full article: source
Conclusion
The deployment of the fake SonicWall VPN app highlights the ongoing threat of malware disguised as legitimate software. Users and organizations must remain vigilant, ensuring they download applications from official sources and implement robust security measures to protect against such threats.