Magnet Goblin group used a new Linux variant of NerbianRAT malware

Pierluigi Paganini March 11, 2024

The financially motivated hacking group Magnet Goblin uses various 1-day flaws to deploy custom malware on Windows and Linux systems.

A financially motivated threat actor named Magnet Goblin made the headlines for rapidly adopting and exploiting 1-day vulnerabilities, CheckPoint warned. The group focuses on internet-facing services, in at least one instance the group exploited the vulnerability CVE-2024-21887 in Ivanti Connect Secure VPN. The researchers noticed that the exploit became part of the group’s toolkit within just one day after a proof of concept (POC) for it was published.

The researchers observed that the threat actor carried out multiple campaigns targeting Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ.

The attackers demonstrated the capability to quickly use 1-day vulnerabilities. These include:

In the incident involving the Ivanti Connect Secure VPN exploit, threat actors were spotted dropping a previously undetected Linux variant of a malware dubbed NerbianRAT, along with a JavaScript credential stealer known WARPWIRE.

NerbianRAT for Windows was first spotted in 2022, however the Linux variant employed by Magnet Goblin has been in circulation since May 2022.

Magnet Goblin

“While tracking the recent waves of Ivanti exploitation, we identified a number of activities leading to the download and deployment of an ELF file which turned out to be a Linux version of NerbianRAT. This cluster of activity, also described in a Darktrace report, was characterized by the download of a variety of payloads from an attacker-controlled infrastructure.” reads the report published CheckPoint. “Among the downloaded payloads are a variant of the WARPWIRE JavaScript credential stealer, a NerbianRAT Linux variant, and Ligolo, an open-source tunneling tool written in GO.”

Upon executing the Linux NerbianRAT variant, the malware checks for duplicate processes achieved through the allocation of shared memory segments. If successful, it initiates a self-forking mechanism, constituting the sole anti-debugging/anti-analysis measure incorporated into the malware. Once the check is completed, NerbianRAT starts the main initialization process.

Below are the phases of the initiation process:

  1. Gathers fundamental information, such as the current time, username, and machine name.
  2. Generates a unique bot ID by combining the value of the file /etc/machine-id and the current process ID.
  3. Assigns a hardcoded IP address (172.86.66.165) to two global variables, designating them as the primary and secondary hosts.
  4. Decrypts the global working directory variable and designates it as %TEMP%.
  5. Searches for the file rgs_c.txt, reads its contents, and attempts to interpret them as the following arguments: -pP port -h host.
  6. Loads a public RSA key, subsequently utilized to encrypt network communication

Unlike the Windows variant, the Linux version of NerbianRAT uses raw TCP sockets for communication, exchanging data blobs represented by structs using a customized protocol. The malware uses AES encryption for C2 communication, however, depending on the transmitted data, RSA may also be utilized.

Below are the actions supported by the malware:

Action IDAction description
1Continue requesting more actions.
4Run a Linux command in a separate thread.
5Send the last command result and clean up the result file. ** If a command is running it is stopped.
6Run a Linux command immediately.
7Do nothing / Idle command.
8Change the connection interval global variable.
9Update the start and end worktimes, then save the config file.
14Send back the idle status timings string / the configuration / results of the last run Linux command.
15Set a config variable, based on the name of the field and a value.
16Update the gl_command_buffer global variable, used when executing commands from the C2.

The researchers also observed a simplified version of the NerbianRAT, called MiniNerbian, which supports the following actions:

  • Execute C2’s command and return results
  • Update activity schedule (full day or specific hours)
  • Update configuration

Unlike NerbianRAT, MiniNerbian uses HTTP protocol for C2 communication.

NerbianRAT

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian. Those tools have operated under the radar as they mostly reside on edge-devices.” concludes the report. “This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Magnet Goblin)



you might also like

leave a comment