Magnet Goblin Delivers Linux Malware Using One-Day Vulnerabilities

A financially motivated threat actor has been targeting one-day vulnerabilities in public-facing services to deploy Linux backdoors, Check Point reports.

Tracked as Magnet Goblin, the adversary was seen quickly adopting one-day vulnerabilities, often in edge devices, and relying on the Nerbian custom malware family to perform nefarious activities.

Magnet Goblin was seen targeting publicly disclosed vulnerabilities in Ivanti VPNs (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893), Magento (CVE-2022-24086), Qlik Sense (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365), and possibly Apache ActiveMQ.

As part of an attack exploiting the recent Ivanti flaws, the threat actor was observed deploying a JavaScript credential stealer called Warpwire, a Linux variant of the NerbianRAT backdoor, and the open source tunneling tool Ligolo.

The Warpwire stealer was previously linked to the mass exploitation of Ivanti vulnerabilities, suggesting that multiple threat actors might be using it, Check Point says.

The tool was also seen in a 2022 attack against Magento servers, which were used as command-and-control (C&C) servers for the Windows variant of NerbianRAT and for Warpwire. Magnet Goblin deployed MiniNerbian, a smaller version of the Linux NerbianRAT backdoor, on the compromised Magento instances.

Analysis of Magnet Goblin’s infrastructure also revealed the use of the remote monitoring and management tools (RMM) ScreenConnect and AnyDesk, as well as the targeting of Qlik Sense and Apache ActiveMQ.

The Linux variant of NerbianRAT has been used in attacks since 2022, Check Point says. On the infected machines, the malware collects system information and can run various commands, and communicates with the C&C over raw sockets, relying on AES for encryption.

Advertisement. Scroll to continue reading.

Given “the diverse actions available, the backdoor allows for great flexibility for the threat actor to operate at different times and at different levels of complexity. This enables the malware to remain stealthy yet active on the infected machine,” Check Point notes.

A simplified version of NerbianRAT, MiniNerbian supports command execution, has a small configuration, and uses HTTP for communication with the C&C. The two backdoors share some code, but they appear to be different malware with similar functions.

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian. Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected,” Check Point concludes.

Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks

Related: Redis Servers Targeted With New ‘Migo’ Malware

Related: ‘SlashAndGrab’ ScreenConnect Vulnerability Widely Exploited for Malware Delivery

Source: Original Post


“An interesting youtube video that may be related to the article above”