• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Belk hit by May cyberattack: DragonForce stole 150GB of data

 | 

North Korea-linked actors spread XORIndex malware via 67 malicious npm packages

 | 

FBI seized multiple piracy sites distributing pirated video games

 | 

An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

 | 

Interlock ransomware group deploys new PHP-based RAT via FileFix

 | 

Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

 | 

Experts uncover critical flaws in Kigen eSIM technology affecting billions

 | 

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

 | 

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • Magnet Goblin group used a new Linux variant of NerbianRAT malware

Magnet Goblin group used a new Linux variant of NerbianRAT malware

Pierluigi Paganini March 11, 2024

The financially motivated hacking group Magnet Goblin uses various 1-day flaws to deploy custom malware on Windows and Linux systems.

A financially motivated threat actor named Magnet Goblin made the headlines for rapidly adopting and exploiting 1-day vulnerabilities, CheckPoint warned. The group focuses on internet-facing services, in at least one instance the group exploited the vulnerability CVE-2024-21887 in Ivanti Connect Secure VPN. The researchers noticed that the exploit became part of the group’s toolkit within just one day after a proof of concept (POC) for it was published.

The researchers observed that the threat actor carried out multiple campaigns targeting Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ.

The attackers demonstrated the capability to quickly use 1-day vulnerabilities. These include:

  • Magento – CVE-2022-24086
  • Qlik Sense – CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365
  • Ivanti Connect Secure – CVE-2023-46805 and CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893.

In the incident involving the Ivanti Connect Secure VPN exploit, threat actors were spotted dropping a previously undetected Linux variant of a malware dubbed NerbianRAT, along with a JavaScript credential stealer known WARPWIRE.

NerbianRAT for Windows was first spotted in 2022, however the Linux variant employed by Magnet Goblin has been in circulation since May 2022.

Magnet Goblin

“While tracking the recent waves of Ivanti exploitation, we identified a number of activities leading to the download and deployment of an ELF file which turned out to be a Linux version of NerbianRAT. This cluster of activity, also described in a Darktrace report, was characterized by the download of a variety of payloads from an attacker-controlled infrastructure.” reads the report published CheckPoint. “Among the downloaded payloads are a variant of the WARPWIRE JavaScript credential stealer, a NerbianRAT Linux variant, and Ligolo, an open-source tunneling tool written in GO.”

Upon executing the Linux NerbianRAT variant, the malware checks for duplicate processes achieved through the allocation of shared memory segments. If successful, it initiates a self-forking mechanism, constituting the sole anti-debugging/anti-analysis measure incorporated into the malware. Once the check is completed, NerbianRAT starts the main initialization process.

Below are the phases of the initiation process:

  1. Gathers fundamental information, such as the current time, username, and machine name.
  2. Generates a unique bot ID by combining the value of the file /etc/machine-id and the current process ID.
  3. Assigns a hardcoded IP address (172.86.66.165) to two global variables, designating them as the primary and secondary hosts.
  4. Decrypts the global working directory variable and designates it as %TEMP%.
  5. Searches for the file rgs_c.txt, reads its contents, and attempts to interpret them as the following arguments: -pP port -h host.
  6. Loads a public RSA key, subsequently utilized to encrypt network communication

Unlike the Windows variant, the Linux version of NerbianRAT uses raw TCP sockets for communication, exchanging data blobs represented by structs using a customized protocol. The malware uses AES encryption for C2 communication, however, depending on the transmitted data, RSA may also be utilized.

Below are the actions supported by the malware:

Action IDAction description
1Continue requesting more actions.
4Run a Linux command in a separate thread.
5Send the last command result and clean up the result file. ** If a command is running it is stopped.
6Run a Linux command immediately.
7Do nothing / Idle command.
8Change the connection interval global variable.
9Update the start and end worktimes, then save the config file.
14Send back the idle status timings string / the configuration / results of the last run Linux command.
15Set a config variable, based on the name of the field and a value.
16Update the gl_command_buffer global variable, used when executing commands from the C2.

The researchers also observed a simplified version of the NerbianRAT, called MiniNerbian, which supports the following actions:

  • Execute C2’s command and return results
  • Update activity schedule (full day or specific hours)
  • Update configuration

Unlike NerbianRAT, MiniNerbian uses HTTP protocol for C2 communication.

NerbianRAT

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian. Those tools have operated under the radar as they mostly reside on edge-devices.” concludes the report. “This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Magnet Goblin)


facebook linkedin twitter

Cybercrime Hacking hacking news information security news IT Information Security Magnet Goblin malware NerbianRAT Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 15, 2025
Belk hit by May cyberattack: DragonForce stole 150GB of data
Read more
Pierluigi Paganini July 15, 2025
North Korea-linked actors spread XORIndex malware via 67 malicious npm packages
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Belk hit by May cyberattack: DragonForce stole 150GB of data

    Data Breach / July 15, 2025

    North Korea-linked actors spread XORIndex malware via 67 malicious npm packages

    Hacking / July 15, 2025

    FBI seized multiple piracy sites distributing pirated video games

    Cyber Crime / July 15, 2025

    An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

    Hacking / July 15, 2025

    Interlock ransomware group deploys new PHP-based RAT via FileFix

    Cyber Crime / July 14, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT