NerbianRAT Linux - Novel Malware Linked to Magnet Goblin APT
Check Point reports that a threat actor driven by financial motives has been focusing on exploiting recently discovered vulnerabilities in publicly accessible services to install Linux backdoors. Identified as Magnet Goblin, this adversary has been swift in leveraging these vulnerabilities, particularly in edge devices, and has been using the Nerbian custom malware family for malicious activities.
Magnet Goblin has been observed targeting known vulnerabilities in various platforms such as Ivanti VPNs, Magento, Qlik Sense, and possibly Apache ActiveMQ. For instance, in exploiting Ivanti flaws, the actor deployed Warpwire, a JavaScript credential stealer, a Linux version of NerbianRAT backdoor, and Ligolo, an open source tunneling tool.
Magnet Goblin's Previous Activity
The Warpwire stealer has been associated with widespread exploitation of Ivanti vulnerabilities, indicating potential use by multiple threat actors. Additionally, Magnet Goblin has previously utilized Warpwire in attacks against Magento servers, employing them as command-and-control servers for the Windows variant of NerbianRAT and Warpwire itself.
Investigation into Magnet Goblin's infrastructure revealed the utilization of remote monitoring and management tools like ScreenConnect and AnyDesk, along with targeting of Qlik Sense and Apache ActiveMQ. The Linux variant of NerbianRAT, active since 2022, collects system information, executes commands, and communicates with the command-and-control server over encrypted channels.
The backdoor provides a wide range of capabilities, offering flexibility for the threat actor to operate stealthily on infected machines. MiniNerbian, a simplified version of NerbianRAT, supports command execution and uses HTTP for communication, serving similar functions but with a smaller footprint.
Magnet Goblin's campaigns, driven by financial incentives, highlight a trend of exploiting one-day vulnerabilities to distribute custom Linux malware. These tools predominantly target edge devices, reflecting a broader pattern of threat actors exploiting previously overlooked areas of vulnerability.