Magnet Goblin Hackers Exploit 1-day Vulnerabilities to Deploy NerbianRAT Linux Malware

Written by Gabby Lee

March 12, 2024

Magnet Goblin Hackers Exploit 1-day Vulnerabilities to Deploy NerbianRAT Linux Malware

The Magnet Goblin hackers, driven by financial motives, use 1-day vulnerabilities to breach servers and install custom Linux malware NerbianRAT and MiniNerbian.

What are 1-day Vulnerabilities?

1-day vulnerabilities are publicly disclosed flaws for which a patch has already been released. Threat actors who wish to exploit these vulnerabilities must act swiftly before their intended targets can apply security updates.

Typically, exploits for 1-day Vulnerabilities are not immediately available upon disclosure. However, in some cases, it is relatively easy to determine how to take advantage of the vulnerability.

Additionally, by reverse-engineering the patch, the underlying issue and its exploitation methods can be discovered.

Magnet Goblin Hackers Are Capable Enough to Exploit 1-day Vulnerabilities Within a Day, Says Checkpoint

According to Check Point analysts who have identified Magnet Goblin, these threat actors are known for their swift exploitation of newly disclosed vulnerabilities. In some cases, they exploit flaws within a day of a Proof of Concept (PoC) exploit being released.

The hackers target various devices and services, including Ivanti Connect Secure (CVE-2024-21887, CVE-2023-46805, CVE-2024-21888, CVE-2024-21893), Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense (CVE-2023-41266, CVE-2023-41265, CVE-2023-48365), and Magento (CVE-2022-24086).

Magnet Goblin leverages these vulnerabilities to infect servers with custom malware, specifically NerbianRAT, MiniNerbian, and a customized version of the WARPWIRE JavaScript stealer.

Magnet Goblin Hackers Exploit 1-day Vulnerabilities to Deploy NerbianRAT Linux Malware

Timeline of Magnet Goblin activities

Source: Check Point

Custom Linux Malware ‘NerbianRAT’ Modus Operandi

According to the latest report from Check Point, while NerbianRAT for Windows has been known since 2022, Magnet Goblin has been circulating a Linux variant of the malware since May 2022. Despite being sloppily compiled, this Linux variant remains effective.

Upon initial execution, the malware carries out several preliminary actions. These include collecting system information such as the current time, username, and machine name.

NerbianRAT generates a unique bot ID, sets a hardcoded IP address as both the primary and secondary host, establishes the working directory, and loads a public RSA key for encrypting network communication using AES.

Subsequently, NerbianRAT loads its configuration, which specifies the activity times (worktime), time intervals for communication with the command and control (C2) server, and other relevant parameters.

Magnet Goblin Hackers Exploit 1-day Vulnerabilities to Deploy NerbianRAT Linux Malware

Configuration parameters

Source: Check Point

Upon receiving instructions from the command and control (C2) server, the custom Linux malware is capable of executing various actions on the infected system. These actions, which may be sent in any order, include:

  • Immediate execution of a Linux command
  • Sending the command result to the server, while also cleaning the associated file and terminating any ongoing commands
  • Updating a specific configuration variable
  • Modifying the interval for establishing connections
  • Requesting additional actions from the server
  • Refreshing the command buffer for C2 execution commands
  • Executing a Linux command in a new thread
  • Adjusting and saving worktime settings
  • Returning idle timings, configuration details, or command results
  • Taking no action, remaining idle

Magnet Goblin Hackers Also Use MiniNerbian, a Mini Version of the NerbianRAT

MiniNerbian, a streamlined variant of NerbianRAT, focuses on command execution and supports the following actions:

  • Executing commands from the C2 and returning the results
  • Updating the activity schedule, either for the entire day or specific hours
  • Updating the configuration settings
Magnet Goblin Hackers Exploit 1-day Vulnerabilities to Deploy NerbianRAT Linux Malware

Similarities Between Codes of NerbianRAT and MiniNerbian

Source: Check Point

Unlike the more intricate NerbianRAT, MiniNerbian communicates with the C2 server through HTTP, distinguishing it from the former’s employment of raw TCP sockets for communication.

It is possible that Magnet Goblin hackers use MiniNerbian as a redundant or stealthier backdoor in certain cases. According to Check Point, identifying specific threats like the attacks carried out by Magnet Goblin amidst the vast amount of 1-day exploitation data can be challenging.

This allows such hacker groups to camouflage themselves amidst the chaos that often follows the disclosure of vulnerabilities.

Taking prompt action to apply patches is crucial in countering 1-day exploitation. Furthermore, implementing additional measures like network segmentation, endpoint protection, and multi-factor authentication can help mitigate the potential impact of breaches.

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!