Analysis Summary

Cybersecurity researchers have identified a highly sophisticated malware campaign specifically targeting users of SonicWall’s SSL VPN NetExtender, particularly version 10.3.2.27. Threat actors have crafted a Trojanized version of the legitimate remote access software and are distributing it through fake websites that convincingly mimic SonicWall’s official platform. These deceptive sites are used to host the malicious installer, which is digitally signed with a fraudulent certificate issued to “CITYLIGHT MEDIA PRIVATE LIMITED,” giving it a facade of legitimacy and helping it bypass initial security detections.

According to the Researcher, the primary goal of the campaign is credential theft. Once installed, the malicious NetExtender application silently gathers and exfiltrates sensitive information, including usernames, passwords, domain names, and VPN configuration details. This data is transmitted to a command-and-control (C2) server located at IP address 132.196.198.163 via port 8080. The campaign poses a major threat to corporate networks, as the compromised credentials can be used to gain unauthorized access, move laterally within systems, and potentially exfiltrate critical data.

To evade detection and maintain persistence, the malware utilizes advanced manipulation of the NeService.exe Windows service component, which is responsible for validating the digital signatures of NetExtender components. The attackers have strategically patched multiple code locations to override the certificate validation checks. This means the malware can run unsigned or improperly signed modules without triggering alerts, ensuring the Trojanized VPN client operates seamlessly and avoids scrutiny from endpoint defenses.

The implications of this campaign are severe. By undermining the core trust mechanism of digital signature validation, the attackers have introduced a potent method to disguise malware as trusted software. Despite appearing to function like a legitimate VPN client, the compromised NetExtender silently compromises secure remote access environments. In response, SonicWall and Microsoft Threat Intelligence swiftly collaborated on website takedowns and certificate revocations. Organizations using SonicWall VPNs must remain vigilant, ensure software authenticity through secure channels, and educate users to avoid unofficial downloads.

Impact

• Sensitive Data Theft
• Gain Access
• Security Bypass

Indicators of Compromise

SHA1

• 7448c0894ef17a085a478817a9465a36d2807048

• ce120bc1483d4b528dedf4dab1f31ad54b53e50e

• 10b3e81b0804d7c452434ceac699b46e31c0b215

Remediation

• Always download SonicWall NetExtender only from the official SonicWall website or trusted sources.
• Educate employees to avoid downloading software from unknown websites or clicking suspicious links.
• Use application whitelisting to prevent unauthorized or unsigned applications from running.
• Monitor network traffic for connections to suspicious IP addresses like 132.196.198.163 on port 8080.
• Immediately revoke and reset VPN credentials if any compromise is suspected.
• Perform thorough endpoint scans to detect and remove any modified or malicious NetExtender versions.
• Verify digital certificates of installed applications and flag unknown issuers such as “CITYLIGHT MEDIA PRIVATE LIMITED.”
• Segment the network to restrict unauthorized lateral movement within internal systems.
• Keep all systems and applications updated with the latest official patches.
• Enable multi-factor authentication (MFA) for VPN access to reduce reliance on passwords alone.
• Regularly review VPN access logs for unusual activity, including login attempts from unknown IPs or odd hours.