Sonicwall warns of fake NetExtender app infected with malicious code

Attackers have published a Windows version of Sonicwall's VPN software NetExtender that has been prepared with malicious code. They use it to intercept VPN access data.

Background information

The IT company warns of this in a recent article. Company employees use NetExtender to establish a VPN connection to the company network to access network drives, for example.

In collaboration with security researchers from Microsoft, Sonicwall has now discovered a malicious variant of the VPN software. It was offered on a website designed to look like the legitimate NetExtender site. The website has since been taken offline, and Windows classifies the certificate used to sign the fake app as untrustworthy. The extent to which the application is in circulation is currently unknown. Meanwhile, virus scanners should recognize the malicious code and sound the alarm.

To find out whether you have installed the fake version, you need to open the properties of the NetExtender executable file and check the “Digital signature”. If it says, “CITYLIGHT MEDIA PRIVATE LIMITED”, it is the infected version and admins should delete it immediately. The Sonicwall article also contains the checksums of affected files.

Insights

Sonicwall states that the cybercriminals have manipulated the files NEService.exe and NetExtender.exe with malicious code. In the former file, the attackers have removed the validation of the certificate so that the file can start even if the signature is invalid. NetExtender.exe contains code to copy VPN access data including password and send it to a server of the attackers.

This case shows once again that software and tools should only be downloaded from the manufacturer's websites or reliable download portals such as heise Download. To make matters worse, fake websites are repeatedly landing at the top of Internet search results. Recently, this has also happened in Google's new AI-supported search.

(des)