- Sonicwall warns the pirates distribute malicious VPN software
- NETEXTERD is being modified and distribution via false websites
- The malware steals identification information and VPN configurations
The hackers were identified usurping the VPN Sonicwall Netextender SSL customer and distributing it via fake web pages that imitate the official Sonicwall website.
Sonicwall and Microsoft Threat Intelligence (MSTIC) spotted the trojanized application and issued a notice to warn users to download the false software.
As Netextender is used as a remote access VPN customer, stolen VPN configuration data and VPN identification information can put employees and companies at risk of compromise.
Spoofed VPN customer distributed via a false website
The false VPN customer is signed by “Citylight Media Private Limited”, which gives it a limited level of authenticity which can deceive low-level cyber-protections.
The file has been distributed using poisoning and malvertization techniques that can reveal the false website above the authentic site, especially in sponsored results.
Consequently, Sonicwall reminded users to download only software from legitimate sources, in this case, Sonicwall.com and Mysonicwall.com.
In the research by Sonicwall and MSTIC, they found two modified binary from their product distributed by the false website; Neservice.exe which has been modified to bypass digital certificate controls; And Nextender.exe has been changed to steal configuration data and identification information.
When all the necessary details have entered and the user clicks on connection, the data that includes the username, the password, the domain, etc., are extracted and sent to a remote server controlled by the pirates.
Sonicwall and Microsoft cybersecurity tools can now detect malware, but other third -party software may not yet be configured to detect files. It is always a good idea to consult the best antivirus software to protect your devices from modified software and malware.
