Threat actors have launched a sophisticated campaign distributing a trojanized version of SonicWall's SSL VPN NetExtender application, targeting users searching for legitimate downloads online. The malicious installer, which closely mimics the genuine NetExtender v10.3.2.27, is digitally signed by a non-affiliated company and distributed via spoofed websites, phishing, SEO poisoning, and malvertising.
Once installed, the fake app captures VPN configuration details, including usernames, passwords, and domains, and exfiltrates them to a remote server controlled by the attackers. The attackers alter the core binaries, NeService.exe and NetExtender.exe, to bypass digital certificate validation and ensure the malware continues to operate even if the signature fails.
ConnectWise Authenticode Exploits Enable Stealthy Malware Delivery
Simultaneously, attackers are abusing ConnectWise remote access software through a method known as Authenticode stuffing. This technique involves embedding malicious code in the certificate table of a digitally signed installer, allowing it to pass integrity checks while hiding harmful payloads. The campaign, tracked as EvilConwi, uses phishing emails and fake AI tool sites to lure victims into downloading trojanized ConnectWise installers.
Once executed, these installers can display fake Windows update screens, block user shutdown attempts, and establish persistent remote connections for attackers.
Did you know?
The trojanized SonicWall NetExtender campaign was detected in collaboration between SonicWall and Microsoft, with security tools from both vendors now able to proactively block the malicious installers.
Attackers Target Remote Users and IT Administrators
Both SonicWall NetExtender and ConnectWise are widely used by remote employees and IT administrators to access corporate networks securely. The current wave of attacks exploits this trust, aiming to compromise high-value targets and gain privileged access to sensitive systems.
By leveraging legitimate-looking software and trusted digital signatures, attackers increase their chances of bypassing security controls and remaining undetected within enterprise environments.
ALSO READ | Keylogger Injections on Microsoft Exchange Servers Threaten Global Government and Corporate Cybersecurity
Implications for Enterprise Security and Response
These campaigns underscore a growing risk to organizations relying on remote access tools. The combination of credential theft, stealthy malware delivery, and persistent access can lead to data breaches, ransomware, and espionage.
Security vendors, including SonicWall and Microsoft, have updated their detection tools to flag the malicious installers, but the evolving tactics of attackers demand continuous vigilance and user education.
Defensive Strategies for Organizations and End Users
Experts recommend downloading VPN and IT management software only from official vendor sites, verifying digital signatures, and scanning all installers with updated antivirus solutions. Organizations should educate employees about phishing and malvertising risks, monitor for unusual remote access activity, and patch remote access tools promptly.
Implementing advanced endpoint protection and restricting software installation privileges can further reduce the risk of compromise.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!