Magnet Goblin Exploits 1-Day Vulnerabilities with New Linux Variant of NerbianRAT Malware

March 11, 2024

The threat actor known as Magnet Goblin is making headlines for its ability to quickly exploit 1-day vulnerabilities in internet-facing services. CheckPoint has issued a warning about this group's activities, noting their rapid adoption of an exploit for the vulnerability CVE-2024-21887 in Ivanti Connect Secure VPN. The exploit was incorporated into the group's toolkit within a day of the proof of concept (POC) being published.

The group has launched several campaigns targeting Ivanti, Magento, Qlink Sense, and possibly Apache ActiveMQ, demonstrating their ability to swiftly utilize 1-day vulnerabilities. In one instance involving the Ivanti Connect Secure VPN exploit, the threat actors were observed deploying a previously unseen Linux variant of NerbianRAT malware, along with a JavaScript credential stealer called WARPWIRE.

The Linux variant of NerbianRAT, first spotted in 2022, has been in circulation since May 2022. “While tracking the recent waves of Ivanti exploitation, we identified a number of activities leading to the download and deployment of an ELF file which turned out to be a Linux version of NerbianRAT. This cluster of activity, also described in a Darktrace report, was characterized by the download of a variety of payloads from an attacker-controlled infrastructure,” reads the report from CheckPoint.

The Linux variant of NerbianRAT uses raw TCP sockets for communication, exchanging data using a custom protocol. It employs AES encryption for C2 communication, but may also use RSA depending on the data being transmitted. The researchers also discovered a simplified version of the NerbianRAT, dubbed MiniNerbian, which uses HTTP protocol for C2 communication.

The report concludes that Magnet Goblin’s campaigns appear to be financially driven. The group has been quick to exploit 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian. These tools have largely remained undetected as they mostly operate on edge-devices. The report further notes that this is part of a growing trend for threat actors to target areas previously left unprotected.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.