Malware targeting SonicWall devices could survive firmware updates

Researchers at Mandiant have identified a malware campaign targeting SonicWall SMA 100 Series appliances, thought to be of Chinese origin. The malware was likely deployed in 2021, and was able to persist on the appliances tenaciously, even surviving firmware upgrades. The malware was able to steal user credentials and provide shell access.

The SMA 100 Series is an access control system that lets remote users log in to company resources. It offers a combined single-sign-on (SSO) web portal to authenticate users, so intercepting user credentials would give an attacker that is after sensitive information a huge advantage.

The Mandiant researchers reportedly worked with the SonicWall Product Security and Incident Response Team (PSIRT) to examine an infected device.

The analysis of the files found on the device showed that harvesting the (hashed) user credentials of all logged in users was the primary purpose of the malware. A number of scripts and a TinyShell variant provided the attacker with readily available, high-privileged access. The original TinyShell is a python command shell used to control and execute commands through HTTP requests to a web shell. A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. In other words, it acts as a backdoor on affected systems.

The researchers noted that the attackers put significant effort into the stability and persistence of their tooling and showed a detailed understanding of the appliance.

The malware checked for the presence of a firmware upgrade every ten seconds. When found it unzipped the package, copied the malware into the upgrade and put the zip back in the original place, now including the malware, so after the upgrade it could continue to harvest credentials.


SonicWall is urging SMA 100 customers to upgrade to version or higher, which includes hardening enhancements. In a blog post from March 1, 2023 SonicWall describes the patch and states that:

SonicWall has taken the approach of incorporating security enhancements in their products, such as the SMA 100 series, which helps identify potentially compromised devices by performing several checks at the operating system level and baselining normal operating system state. In addition, SonicWall sends anonymous encrypted data to backend servers, including device health data, to detect and confirm security events and release new software to correct the issue.

As part of this upgrade, SMA100 customers on versions or higher will receive notifications in their Management Console about pending CRITICAL security updates.

The upgrades, and the instructions on how to upgrade to 10.x firmware versions from various older versions of the SMA 100 Series can be found in the SonicWall knowledge base article Upgrade Path For SMA100 Series.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.