|
| |
| |
| |
| |
| |
| |
| NerbianRAT, MiniNerbian, WARPWIRE |
| |
Overview
Magnet Goblin is a financially motivated threat actor who quickly leverages 1-day vulnerabilities, often in edge devices, after their disclosure. The actor uses malware belonging to a custom malware family called Nerbian. This family includes NerbianRAT, a cross-platform RAT with variants for Windows and Linux, and MiniNerbian, a small Linux backdoor.
Common targets
Some of the devices or services targeted by the hackers are Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893), Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense (CVE-2023-41265, CVE-2023-41266, CVE-2023-48365), and Magento (CVE-2022-24086).
Attack Vectors
The threat actor quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector, and deploy custom malware on Windows and Linux systems.
1-day vulnerabilities are those publicly disclosed flaws for which a patch is already available. Cyber threat actors aiming to capitalize on these vulnerabilities must act swiftly before targets can implement security updates.
How they operate
The Check Point analysts who uncovered Magnet Goblin Deploys Nerbian RAT observe that these threat actors swiftly capitalize on recently disclosed vulnerabilities. In certain instances, they exploit these weaknesses within just a day of a Proof of Concept (PoC) exploit emerging.
Magnet Goblin utilizes these vulnerabilities to infiltrate servers with tailored malware, including NerbianRAT and MiniNerbian, alongside a personalized version of the WARPWIRE JavaScript stealer.
NerbianRAT for Windows has been recognized since 2022, but Check Point recently uncovered a Linux variant, utilized by Magnet Goblin, in circulation since May 2022. Upon activation, this variant initiates basic operations, such as gathering system information (time, username, machine name), generating a bot ID, and configuring network communication through a hardcoded IP address.
Following initialization, NerbianRAT loads its configuration settings, dictating activity schedules, communication intervals with the command and control (C2) server, and other operational parameters. The C2 server can then issue various commands to the malware, including executing Linux commands, modifying connection intervals, and updating configuration variables.
MiniNerbian, a streamlined iteration of NerbianRAT, focuses primarily on executing commands and supports actions like relaying command results, updating activity schedules, and adjusting configurations. Unlike its more intricate counterpart, MiniNerbian communicates with the C2 server via HTTP, potentially serving as a redundancy or stealthier backdoor for Magnet Goblin’s operations.
References:
