Magnet-Goblin Hackers Attack Public Services Using 1-Day Exploits

A new threat actor, Magnet Goblin, emerged by rapidly exploiting recently disclosed vulnerabilities (CVE-2023-46805 & CVE-2023-21887) in Ivanti Connect Secure VPN, which allowed them to deploy custom Linux backdoors on vulnerable systems.

Magnet Goblin has a history of targeting platforms like Magento, Qlik Sense, and potentially Apache ActiveMQ, using similar tactics to gain financial advantage.

Their strategy involves quickly adopting newly discovered vulnerabilities to establish backdoors on compromised systems. These backdoors enable them to steal data or gain unauthorized access by exploiting one-day vulnerabilities for potential financial gain.

- Advertisement -

A financially driven cybercriminal group exploits weaknesses in edge devices and public servers.

• Magento – CVE-2022-24086
• Qlik Sense – CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365
• Ivanti Connect Secure – CVE-2023-46805 and CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893.

Their custom-made Nerbian malware family includes tools like NerbianRAT (cross-platform) for complete remote control and MiniNerbian (Linux-specific) for maintaining backdoor access.

Past Magnet Goblin campaigns.

Rapid Exploitation of Public Servers with Custom Malware

An investigation of recent Ivanti exploits revealed downloads linked to a Linux variant of NerbianRAT malware, which fetched various malicious payloads from an attacker-controlled server, including a WARPWIRE JS stealer and Ligolo tunneling tool.

After finding vulnerabilities, the attackers’ malicious servers allowed them to retrieve a fresh version of the NerbianRAT malware. 

• http://94.156.71[.]115/lxrt
• http://91.92.240[.]113/aparche2
• http://45.9.149[.]215/aparche2

It uses a custom WARPWIRE variant alongside NerbianRAT, which steals VPN credentials and sends them to a compromised Magento server. This highlights the threat actor’s multi-tool approach.

Analysis of the Infrastructure:

Beyond the Linux tools mentioned above, Magnet Goblin’s arsenal also extends to Windows. They leverage legitimate tools like ScreenConnect (downloaded from their server) and AnyDesk for remote access. 

Interestingly, the IP used for ScreenConnect downloads aligns with the one observed on compromised Qlik Sense servers, suggesting a wider exploitation attempt.

Evidence suggests possible connections to both Cactus ransomware (based on observed tactics) and Apache ActiveMQ vulnerabilities (based on downloaded files). 

Compromised Magento servers were used to deploy BAT scripts that downloaded and executed AnyDesk, further showcasing the diverse tools used by this threat actor.

NerbianRAT is a Linux backdoor first observed in May 2022. It is poorly obfuscated and lacks anti-analysis techniques. Upon execution, it collects basic information about the infected machine and generates a unique bot ID. 

Then, it decrypts its working directory and searches for a configuration file containing various settings, including the C2 server address, working hours, and a public key for encryption.

It communicates with its C2 server using raw TCP sockets and a custom protocol, and data is encrypted using AES or RSA, depending on the type of data transmitted. 

The backdoor operates in two primary states: during working hours (as defined in the configuration), it sends data to the C2 server and awaits instructions, while outside of working hours, it can still send “ping” messages to the server.

MiniNerbian simplifies NerbianRAT for command execution and sends HTTP POST requests to its C2 server to execute system commands, change its internal time flag, and update configuration.

In cybersecurity, distinguishing specific activities amid widespread opportunistic exploitation attacks is challenging due to the technical and attribution complexities.

Defenders often prioritize response and mitigation, sometimes missing the activities of unique actors who exploit these situations.

A recent example is the Ivanti Secure Connect VPN exploitation by various threat actors, including Magnet Goblin, who exploited the vulnerability before appliances were patched.

Motivated by financial gains, Magnet Goblin quickly utilized one-day vulnerabilities to deploy custom Linux malware, such as NerbianRAT and MiniNerbian, primarily targeting unprotected edge devices.

IOCs :

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.