Magnet Goblin Hacker Group Leveraging 1-Day Exploits to Deploy Nerbian RAT

A financially motivated threat actor called Magnet Goblin is swiftly adopting one-day security vulnerabilities into its arsenal in order to opportunistically breach edge devices and public-facing services and deploy malware on compromised hosts.

“Threat actor group Magnet Goblin’s hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, particularly targeting public-facing servers and edge devices,” Check Point said.

“In some cases, the deployment of the exploits is within 1 day after a [proof-of-concept] is published, significantly increasing the threat level posed by this actor.”

Attacks mounted by the adversary have leveraged unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ servers as an initial infection vector to gain unauthorized access. The group is said to be active since at least January 2022.

A successful exploitation is followed by the deployment of a cross-platform remote access trojan (RAT) dubbed Nerbian RAT, which was first disclosed by Proofpoint in May 2022, as well as its simplified variant called MiniNerbian. The use of the Linux version of Nerbian RAT was previously highlighted by Darktrace.

Both the strains allow for execution of arbitrary commands received from a command-and-control (C2) server and exfiltrating the results backed to it.

Some of the other tools used by Magnet Goblin include the WARPWIRE JavaScript credential stealer, the Go-based tunneling software known as Ligolo, and legitimate remote desktop offerings such as AnyDesk and ScreenConnect.

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, Nerbian RAT and MiniNerbian,” the company said.

“Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.”