Magnet Goblin Hackers Use 1-Day Flaws to Drop Custom Linux Malware

A financially motivated hacking group exploits newly disclosed 1-day vulnerabilities to infiltrate public-facing servers, deploying custom malware on both Windows and Linux systems. These vulnerabilities, publicly disclosed but not yet patched, are swiftly leveraged by threat actors before security updates can be applied. Analysts identified rapid exploitation of these vulnerabilities, sometimes within a day of a proof of concept exploit being released.

The hackers target a variety of devices and services, including Ivanti Connect Secure, Apache ActiveMQ, ConnectWise Screen Connect, Qlik Sense, and Magneto using the flaws to infect servers with custom malware such as NerbianRAT and MiniNerbian, along with a tailored variant of the WARPWIRE JavaScript stealer.

Security Officer Comments:
NerbianRAT, initially known for Windows systems, now includes a Linux variant since May 2022. Upon execution, the malware collects system information , generates a unique bot ID, sets communication parameters with a C2 server, and loads configuration settings. The C2 server can issue various commands to the malware including executing Linux commands, updating configuration settings, or returning system information. MiniNerbian, a simplified version of the NerbianRAT, primarily facilitates command execution and communication with the C2 servers via HTTP. This approach differs from the raw TCP socket communication utilized by NerbianRAT, possibly used for redundancy or stealthier backdoor access.

Suggested Corrections:
Check Point says identifying specific threats like Magnet Goblin's attacks among the sheer volume of 1-day exploitation data is challenging, allowing these groups to hide in plain sight in the chaos that follows the disclosure of flaws. Patching quickly is critical in beating 1-day exploitation, while additional measures such as network segmentation, endpoint protection, and multi-factor authentication can help mitigate the impact of potential breaches.