Hackers leverage 1-day vulnerabilities to deliver custom Linux malware
A financially motivated threat actor is using known vulnerabilities to target public-facing services and deliver custom malware to unpatched Windows and Linux systems.
Among the exploited vulnerabilities are also two recently discovered Ivanti Connect Secure VPN flaws that are widely exploited by a variety of attackers.
Magnet Goblin activity
Magnet Goblin – as the threat actor has been dubbed by Check Point researchers – has been targeting unpatched edge devices and public-facing servers for years.
They started in 2022 by exploiting a vulnerability (CVE-2022-24086) in Magento servers, then continued by exploiting flaws in:
- Qlik Sense – CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365
- Ivanti Connect Secure VPN devices – CVE-2023-46805 and CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893
Custom Windows and Linux malware
The threat actor commonly deploys custom malware, specifically NerbianRAT, MiniNerbian, and the WARPWIRE JavaScript stealer.
Researchers first detected the NerbianRAT for Windows in 2022, while the “sloppily compiled” Linux variant was first seen in May 2022 and “barely has any protective measures”.
NerbianRAT is a remote access trojan (RAT) that, after a successful exploitation, is deployed together with its simplified version, MiniNerbian, a Linux backdoor used for command execution.
Magnet Goblin also uses the WARPWIRE credential harvester, the open-source tunneling tool Ligolo, and leverages legitimate remote monitoring and management (RMM) tools for Windows like ScreenConnect and AnyDesk.
Even though the researchers can’t confirm the connection, the TTPs used by Magnet Goblin are similar to those used by attackers in the Cactus ransomware campaign in early December 2023, which targeted vulnerable internet-facing Qlik Sense instances.
The group has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, and those tools have operated under the radar as they mostly reside on edge devices, the researchers noted. “This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.”