A financially motivated hacker group, tracked as Magnet Goblin, has been using cracked public-facing servers through 1-day exploitations to drop custom Linux malware, according to CheckPoint.
One of the group’s primary exploits included the Ivanti Connect Secure RCE bug, tracked as CVE-2024-21887, that the VPN solutions provider said had active zero-day exploitations.
“Magnet Goblin quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector,” CheckPoint said in a blog post. “At least in one case of Ivanti Connect Secure VPN, the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published.”
Magnet Goblin used 1-day exploitations, publicly disclosed vulnerabilities exploited within a very short window after a patch is available and is applied, for initial infection to drop custom Linux backdoors to pursue financial gains.
Using bugs in Ivanti for initial access
Ivanti issued a public advisory for CVE-2024-21887, carrying a CVSS score of 9.8/10, in January urging users to immediately patch their systems against active exploitations in the wild. The company had called it a command injection vulnerability, capable of allowing arbitrary code execution on the web components of Ivanti Connect Secure, a remote access solution for its enterprise customers.
CheckPoint research places Magnet Goblin exploitations within a day of the patch issuance, pointing out that the group targeted systems that weren’t yet patched with the available fixed updates.
“Check Point Research has been tracking these exploitations and identified several activity clusters targeting vulnerable Connect Secure VPN appliances,” CheckPoint added. “As in many other mass-exploitation of 1-day vulnerabilities cases, differentiating and identifying the different actors is quite challenging.”
CheckPoint could make the connection between the exploits with Magnet Goblin only after it traced several activities leading to the download and deployment of an ELF file, apparently a Linux version of NerbianRAT, a technique consistent with Magnet Goblin’s TTPs.
“In addition to Ivanti, Magnet Goblin historically targeted Magento, Qlik Sense, and possibly Apache ActiveMQ to deploy its custom malware for Linux, as well as Remote Monitoring and Management software such as ConnectWises ScreenConnect,” CheckPoint added. “Some of these activities were publicly described but were not linked to any particular actor.”
Dropping custom Linux malware
Magnet Goblin hackers use malware belonging to a custom malware family called Nerbian. This family includes NerbianRAT, a cross-platform Remote Access Trojan (RAT) with variants for Windows and Linux, and MiniNerbian, a small Linux backdoor, according to CheckPoint.
CheckPoint noticed that the initial infection with 1-day vulnerabilities led to downloading further payloads on the affected system. Among the downloaded payloads was a NerbianRAT Linux variant.
“A new NerbianRAT variant was downloaded from attacker-controlled servers following the exploitation,” CheckPoint added.
After NerbianRAT’s initial configurations run and a command and control (C2) has been established, the C2 is used to carry out a range of malicious activities on the compromised systems, including executing Linux commands immediately or in a new thread, modify connection interval and or work time settings, update a configuration variable, and return command results.
CheckPoint has recommended using its intrusion prevention system and Harmony Endpoint services to protect against exploitation of known vulnerabilities and secure comprehensive endpoint protection, respectively.
——————————————————–