Cybersecurity researchers from Check Point haev discovered a new hacking collective deploying all-new malware on Windows and Linux devices.
Check Point says the previously-unknown group, dubbed Magnet Goblin, was leveraging 1-day vulnerabilities - flaws for which a patch was only recently released. In some instances, the group was leveraging flaws just a day after someone releases a proof-of-concept (PoC).
Some of the flaws Magnet Goblin was abusing includes those found in Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893, Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense (CVE-2023-41265, CVE-2023-41266, CVE-2023-48365), and Magento (CVE-2022-24086).
Securing the website
The group used the flaws to deploy unique malware, for both Windows and Linux, such as NerbianRAT, MiniNerbian, and WARPWIRE. While NerbianRAT isn’t exactly new, the researchers added that a Linux version only started circulating in mid-2022.
Here is a full list of the malware’s capabilities:
Request more actions from the command & control server (C2)
Execute a Linux command in a new thread
Send command result and clean the file; stop any running commands
Execute a Linux command immediately
Do nothing
Modify connection interval
Adjust and save worktime settings
Return idle timings, config, or command results
Update a specific config variable
Refresh command buffer for C2 execution commands
As for MiniNerbian, as the name suggests, it’s a stripped-down version of NerbianRAT, capable of:
Executing C2's commands and returning results
Updating activity schedule (full day or specific hours)
Updating configuration
Magnet Goblin is described as a financially-motivated actor, meaning it’s not state-sponsored and its goals aren’t aligned with any nation-state. It mostly targets healthcare, manufacturing, and energy organizations in the US, Check Point says. Speaking to The Register, Sergey Shykevich, Check Point’s threat intelligence manager, said the researchers found fewer than 10 organizations in the US that fell victim to Magnet Goblin. “But we assume the real number is much higher,” he added.
"We think it is an opportunistic cybercrime group that we currently can't affiliate to a specific geographical location or a known group," Shykevich added. "This group was able to utilize the Ivanti exploit extremely quickly, just one day after a POC for it was published."
More from TechRadar Pro
- This WordPress plugin vulnerability has put millions of websites at risk
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
