Recommended reading

SonicWall warns of fake VPN apps stealing user logins and putting businesses at risk - here's what we know

News
By published

A malicious VPN client is being distributed through fake websites

Laptop with warning symbols over the keyboard
(Image credit: Shutterstock)
  • SonicWall is warning hackers are distributing malicious VPN software
  • NetExtender is being modified and distributed through fake websites
  • The malicious software steals credentials and VPN configurations

Hackers have been spotted spoofing the SonicWall NetExtender SSL VPN client and distributing it through bogus webpages which mimic the official SonicWall site.

SonicWall and Microsoft Threat Intelligence (MSTIC) spotted the trojanized application and issued an advisory to warn users against downloading the fake software.

As NetExtender is used as a remote access VPN client, stolen VPN configuration data and VPN credentials can put both employees and businesses at risk of compromise.

Spoofed VPN client distributed through fake website

The fake VPN client is signed by "CITYLIGHT MEDIA PRIVATE LIMITED," giving it a limited level of authenticity which can fool some low level cyber protections.

The file was distributed using SEO poisoning and malvertising techniques which can make the fake website appear above the authentic site, especially in sponsored results.

Images showing fake digital certificate and modified executable files from the malicious SonicWall VPN software.

(Image credit: SonicWall)

Therefore, SonicWall has reminded users to only download software from legitimate sources, in this case, sonicwall.com and mysonicwall.com.

In the research conducted by SonicWall and MSTIC, they found two modified binaries of their product being distributed by the fake website; NEService.exe which was modified to bypass digital certificate checks; and NetExtender.exe was modified to steal the configuration data and credentials.

Images showing fake digital certificate and modified executable files from the malicious SonicWall VPN software.

(Image credit: SonicWall)

When all the necessary details are entered and the user clicks connect, the data which includes username, password, domain, and more, is extracted and sent to a remote server controlled by the hackers.

Both SonicWall’s and Microsoft’s cybersecurity tools can now detect the malicious software, but other third party software may not yet be configured to detect the files. It’s always a good idea to consult the best antivirus software to protect your devices from modified software and malicious files.

You might also like

TOPICS
Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.