Magnet Goblin Hackers Exploiting 1-day Vulnerabilities To Attack Linux Servers

Threat actors often target Linux servers due to their widespread use in critical infrastructure, web hosting, and cloud environments. 

The open-source nature of the Linux operating system allows threat actors to study its code for vulnerabilities.

The cybersecurity researchers at Check Point recently discovered that the Magnet Goblin hackers have been actively exploiting 1-day vulnerabilities to attack Linux servers.

“1-day flaws” are vulnerabilities that have been publicly disclosed and for which a patch has already been released.

Exploiting these vulnerabilities requires threat actors to act quickly before the target applies security updates.

This type of flaw can pose a significant risk to organizations that are slow to apply patches, as attackers can easily leverage these known vulnerabilities to gain unauthorized access to their systems or sensitive information.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
    • If you want to test all these features now with completely free access to the sandbox:


Magnet Goblin Hackers

Ivanti Connect Secure VPN vulnerabilities (CVE-2023-46805, CVE-2023-21887) are exploited widely.

Check Point Research tracked activity clusters, including the Magnet Goblin actor. It analyzed the NerbianRAT Linux variant and uncovered unattributed attacks linked to the same actor. 

Magnet Goblin adopts 1-day exploits and deploys custom Linux backdoors for financial gain. Magnet Goblin hit Ivanti, Magento, Qlik Sense, Apache ActiveMQ, and ConnectWise ScreenConnect.

Some attacks were public but unattributed until now. Magnet Goblin is a financially motivated threat actor who exploits 1-day bugs and edge devices.

Past Magnet Goblin campaigns timeline (Source – CheckPoint)

It uses custom malware like NerbianRAT (Windows/Linux RAT), and MiniNerbian (Linux backdoor). While all the previous activities unattributed showed a quick 1-day adoption pattern:-

  • Magento: CVE-2022-24086
  • Qlik Sense: CVE-2023-41265, CVE-2023-41266, CVE-2023-48365
  • Ivanti: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893

Ivanti exploit tracking revealed NerbianRAT Linux deployment via varied payloads from attacker infrastructure. While post-exploit the new NerbianRAT variant was downloaded from attacker servers, and the payload URLs are:-

  • http://94.156.71[.]115/lxrt
  • http://91.92.240[.]113/aparche2
  • http://45.9.149[.]215/aparche2

NerbianRAT and a custom WARPWIRE variant were used by Magnet Goblin, who exploited Ivanti Connect Secure vulnerabilities. 

WARPWIRE is a simple stealer that sends VPN credentials to “https[:]//www[.]miltonhouse[.]nl/pub/opt/processor.php.” 

The analysis indicates a compromised Magento server. Magnet Goblin targeted such servers in 2022 by deploying a smaller Linux NerbianRAT version, MiniNerbian.

Compromised Magento servers (Source – CheckPoint)

Magnet Goblin’s arsenal extends beyond the Linux tools used in Magneto and Ivanti campaigns. It includes the Ligolo tunneling tool, Windows RMM ScreenConnect (94.156.71.115), and AnyDesk. 

Potential Cactus Ransomware link (TTPs match public reports). Apache ActiveMQ exploitation attempts are evident from XML payloads. 

The compromised Magento server biondocenere[.]com is used for AnyDesk deployment via the BAT script. Here, the 23.184.48.132 was linked to ScreenConnect payloads.

The NerbianRAT Windows variant was first unveiled in 2022 by ProofPoint, delivered via Covid-19 lure targeting European entities.

Campaign goals unclear used who-international[.]com domain linked to other cybercrime. 

The original Windows version leveraged compromised Magento server fernandestechnical[.]com/pub/health_check.php for C2, aligning with Magnet Goblin’s Tactics.

MiniNerbian is a Streamlined variant of NerbianRAT for command execution that shares code with NerbianRAT but new malware with similar encryption and string decryption functions.

In the world of cyber threats, detecting and attributing specific activities or cyberattacks is a challenge.

This financially motivated group adopts 1-day vulnerabilities for their Linux malware, and operating under the radar on edge devices is a growing trend in targeting previously unprotected areas.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.