Malicious actors used fake download sites to spread the weaponised NetExtender installer.
SonicWall has warned of ongoing intrusions leveraging a trojanised installer of its NetExtender SSL VPN application to pilfer VPN credentials.
According to SonicWall, which discovered the infostealer malware campaign with Microsoft, and reported by The Register, malicious actors used fake download sites to spread the weaponised NetExtender installer signed with a counterfeit "CITYLIGHT MEDIA PRIVATE LIMITED" certificate.
Execution of this certificate permitted the exfiltration of usernames, passwords, domains, and other VPN configuration-related data.
Further analysis of the fraudulent NetExtender app revealed a pair of executable files present in the original installer that have been modified to allow circumvention of validation checks and VPN configuration information delivery to a remote server with the IP address 132.196.198.163 over port 8080.
Additional details regarding the extent of the intrusion, as well as its perpetrators, have not been provided by SonicWall, which has already moved to disrupt all websites with the malicious installer, as well as revoke the erring digital certificate.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
