In June 2025, eSentire’s Threat Response Unit uncovered a trojanized version of SonicWall’s NetExtender VPN client, named “SilentRoute,” which exfiltrates user credentials to a threat actor’s server. The malware bypassed security protections using a fraudulently obtained GlobalSign digital certificate and sophisticated code modifications to mimic legitimate software. #SilentRoute #SonicWall #GlobalSign
Keypoints
- eSentire’s TRU identified a backdoored SonicWall NetExtender client distributing credentials to a malicious IP (132.196.198.163) on port 8080.
- The malicious MSI installer “SonicWall-NetExtender.msi” was downloaded from a fake SonicWall download website after SEO poisoning.
- The trojanized client used a revoked but initially trusted GlobalSign Extended Validation digital certificate to bypass security detections.
- Threat actors patched NEService.exe and replaced the digitally signed NetExtender.exe with an unsigned, modified version to enable credential exfiltration.
- The malware encrypted credentials before transmission using an XOR-based function to obscure the data.
- The attackers used a sophisticated method of decompiling, editing, and recompiling the original software to maintain full functionality while adding malicious features.
- Recommendations include immediate password changes, implementing security awareness training, using NGAV/EDR solutions, and maintaining an official software repository.
MITRE Techniques
- [T1566] Phishing – SEO poisoning was used to trick users into downloading the malicious software from a counterfeit SonicWall page (‘The infection process began when the user searched the web for a download of SonicWall’s NetExtender client. Upon visiting a fraudulent website…’).
- [T1078] Valid Accounts – The malware exfiltrates user credentials (domain, username, password) to gain unauthorized network access (‘…facilitate the exfiltration of sensitive data – specifically the user’s domain, username, and password…’).
- [T1556] Modify Authentication Process – The trojanized NetExtender patched NEService.exe and NetExtender.exe to bypass signature verification and enable credential theft (‘NEService.exe was patched by the threat actors in order to bypass digital signature verification…’).
- [T1027] Obfuscated Files or Information – Credentials are encrypted with an XOR function before exfiltration to obscure data (‘…they are encrypted through the function “AuthRemote”, which serves to obscure the data using the XOR key referenced as “xseed”.’).
Indicators of Compromise
- [IP Address] Malicious server for credential exfiltration – 132.196.198.163 on port 8080
- [File Name] Trojanized software installer – SonicWall-NetExtender.msi
- [File Name] Modified executables within MSI – NEService.exe, NetExtender.exe
- [Certificate] Fraudulent digital certificate issued by GlobalSign (revoked)