Pierluigi Paganini
March 11, 2024
A financially motivated threat actor named Magnet Goblin made the headlines for rapidly adopting and exploiting 1-day vulnerabilities, CheckPoint warned. The group focuses on internet-facing services, in at least one instance the group exploited the vulnerability CVE-2024-21887 in Ivanti Connect Secure VPN. The researchers noticed that the exploit became part of the group’s toolkit within just one day after a proof of concept (POC) for it was published.
The researchers observed that the threat actor carried out multiple campaigns targeting Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ.
The attackers demonstrated the capability to quickly use 1-day vulnerabilities. These include:
In the incident involving the Ivanti Connect Secure VPN exploit, threat actors were spotted dropping a previously undetected Linux variant of a malware dubbed NerbianRAT, along with a JavaScript credential stealer known WARPWIRE.
NerbianRAT for Windows was first spotted in 2022, however the Linux variant employed by Magnet Goblin has been in circulation since May 2022.
“While tracking the recent waves of Ivanti exploitation, we identified a number of activities leading to the download and deployment of an ELF file which turned out to be a Linux version of NerbianRAT. This cluster of activity, also described in a Darktrace report, was characterized by the download of a variety of payloads from an attacker-controlled infrastructure.” reads the report published CheckPoint. “Among the downloaded payloads are a variant of the WARPWIRE JavaScript credential stealer, a NerbianRAT Linux variant, and Ligolo, an open-source tunneling tool written in GO.”
Upon executing the Linux NerbianRAT variant, the malware checks for duplicate processes achieved through the allocation of shared memory segments. If successful, it initiates a self-forking mechanism, constituting the sole anti-debugging/anti-analysis measure incorporated into the malware. Once the check is completed, NerbianRAT starts the main initialization process.
Below are the phases of the initiation process:
Unlike the Windows variant, the Linux version of NerbianRAT uses raw TCP sockets for communication, exchanging data blobs represented by structs using a customized protocol. The malware uses AES encryption for C2 communication, however, depending on the transmitted data, RSA may also be utilized.
Below are the actions supported by the malware:
| Action ID | Action description |
| 1 | Continue requesting more actions. |
| 4 | Run a Linux command in a separate thread. |
| 5 | Send the last command result and clean up the result file. ** If a command is running it is stopped. |
| 6 | Run a Linux command immediately. |
| 7 | Do nothing / Idle command. |
| 8 | Change the connection interval global variable. |
| 9 | Update the start and end worktimes, then save the config file. |
| 14 | Send back the idle status timings string / the configuration / results of the last run Linux command. |
| 15 | Set a config variable, based on the name of the field and a value. |
| 16 | Update the gl_command_buffer global variable, used when executing commands from the C2. |
The researchers also observed a simplified version of the NerbianRAT, called MiniNerbian, which supports the following actions:
Unlike NerbianRAT, MiniNerbian uses HTTP protocol for C2 communication.
“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian. Those tools have operated under the radar as they mostly reside on edge-devices.” concludes the report. “This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Magnet Goblin)
