Financially Motivated Group Magnet Goblin Exploits 1-Day Vulnerabilities with Custom Malware
The financially motivated hacking group Magnet Goblin has gained attention for its adoption and exploitation of 1-day vulnerabilities, as warned by CheckPoint. This threat actor focuses on targeting internet-facing services, with notable exploits including the vulnerability CVE-2024-21887 in Ivanti Connect Secure VPN. Remarkably, the group integrated this exploit into its toolkit within just one day after the publication of a proof of concept (POC).
In addition to Ivanti, Magnet Goblin has conducted multiple campaigns targeting vulnerabilities in Magento, Qlik Sense, and possibly Apache ActiveMQ. Notable vulnerabilities leveraged by the group include:
- Magento: CVE-2022-24086
- Qlik Sense: CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365
- Ivanti Connect Secure: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893
One instance involving the exploitation of the Ivanti Connect Secure VPN vulnerability saw threat actors deploying a previously undetected Linux variant of malware named NerbianRAT, alongside a JavaScript credential stealer known as WARPWIRE.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
While the Windows version of NerbianRAT was first identified in 2022, the Linux variant employed by Magnet Goblin has been circulating since May 2022.
Upon execution, the Linux NerbianRAT variant initiates a series of processes, including gathering system information, generating a unique bot ID, and establishing encrypted communication channels using raw TCP sockets. Unlike its Windows counterpart, the Linux version employs AES encryption for communication.
Below are the actions supported by the malware:
| Action ID | Action description |
| 1 | Continue requesting more actions. |
| 4 | Run a Linux command in a separate thread. |
| 5 | Send the last command result and clean up the result file. ** If a command is running it is stopped. |
| 6 | Run a Linux command immediately. |
| 7 | Do nothing / Idle command. |
| 8 | Change the connection interval global variable. |
| 9 | Update the start and end worktimes, then save the config file. |
| 14 | Send back the idle status timings string / the configuration / results of the last run Linux command. |
| 15 | Set a config variable, based on the name of the field and a value. |
| 16 | Update the gl_command_buffer global variable, used when executing commands from the C2. |
Furthermore, Magnet Goblin has developed a simplified version of NerbianRAT, named MiniNerbian, which utilizes HTTP protocol for communication and supports actions such as executing C2 commands, updating activity schedules, and modifying configurations.
MiniNerbian, unlike NerbianRAT, communicates with the C2 server via HTTP protocol.
Trending: Offensive Security Tool: SmuggleFuzz