TrojanSpy:Win32/SilentRoute.A

Threat actors use several techniques to infect devices with TrojanSpy:Win32/SilentRoute.A: 

The infection process begins when users are tricked into downloading and installing it under the guise of legitimate named NetExtender software loaded with malicious code. It bypasses security checks and steal data without user awareness. It has the digital signature of CITY LIGHT MEDIA PRIVATE LIMITED to look genuine to deceive users. 

Once installed, it begins through following infection steps: 

1. Users run malicious content, by clicking the link in a phishing email or downloading a fake NetExtender software from pirated websites. 
2. Digital signature it carries appears valid to Windows, reducing suspicion. 
3. SilentRoute will ensure persistence; it adds registry entries that launch itself on Windows startup. 
4. It collects sensitive information, like VPN log in credentials, and submits it to command and control (C2) servers. 

TrojanSpy:Win32/SilentRoute.A modifies legitimate files within the NetExtender application to include malicious code, enabling to bypass security checks and stem sensitive information: 

• C:\ProgramData\SonicWall\NetExtender\NetExtender-full.log 
• C:\Users\<USER>\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat 
• C:\ProgramData\SonicWall\NxCredentialProvider\ 
• C:\ProgramData\SonicWall\NetExtender\NetExtender-wireguard.log 
• C:\Program Files\SonicWall\SSL-VPN\NetExtender\NxCredentialProviderV2.dll 
• C:\Program Files\SonicWall\SSL-VPN\NetExtender\wireguard.dll 
• C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SonicWall NetExtender\SonicWall NetExtender.lnk 

This malware also sets the following registries: 

• HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\IconLayouts 
• HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\IconNameVersion 
• KEY_USERS\\S-1-5-21-4270068108-2931534202-3907561125-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\OpenWithProgids\\exefile 
• HKEY_LOCAL_MACHINE\\SOFTWARE\\SonicWall\\SSL-VPN NetExtender\\Standalone\\InstallDir 
• HKEY_LOCAL_MACHINE\\SOFTWARE\\SonicWall\\SSL-VPN NetExtender\\Standalone\\InstallVersion 
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob', 'value': '59 00 00 00 01 00 00 00 16 00 00 00 52 00 53 00 41 00 2F 00 53 00 48 00 41 00 33 00 38 00 34 00 00 0 

TrojanSpy:Win32/SilentRoute.A also communicates to the following hosts: 

• a83f[:]8110[:]6f00[:]6f00[:]7400[:]6800[:]2e00[:]4300  
• 184[.]27[.]218[.]92:80  
• a83f[:]8110[:]0[:]0[:]6786[:]21:0:0  
• a83f[:]8110[:]1717[:]17ff[:]1717[:]17ff[:]1717[:]17ff  
• 104[.]18[.]21[.]226[:]80