Magnet Goblin, a financially motivated threat actor, is swiftly adopting one-day security vulnerabilities into its arsenal to opportunistically breach edge devices and public-facing services and deploy malware on compromised hosts. Threat actor group Magnet Goblin's hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, mainly targeting public-facing servers and edge devices. In some cases, the deployment of the exploits is within 1 day after a [proof-of-concept] is published, significantly increasing the threat level posed by this actor.
Attacks mounted by the adversary have leveraged unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ servers as an initial infection vector to gain unauthorized access. The group is said to be active since at least January 2022.
Successful exploitation is followed by deploying a cross-platform remote access trojan (RAT) dubbed Nerbian RAT, first disclosed by Proofpoint in May 2022, and its simplified variant called MiniNerbian. Darktrace previously highlighted the use of the Linux version of Nerbian RAT. Both strains allow for executing arbitrary commands received from a command-and-control (C2) server and exfiltrating the results back to it.
Some of Magnet Goblin's other tools include the WARPWIRE JavaScript credential stealer, the Go-based tunneling software known as Ligolo, and legitimate remote desktop offerings such as AnyDesk and ScreenConnect. Magnet Goblin, whose campaigns appear to be financially motivated, has quickly adopted 1-day vulnerabilities to deliver its custom Linux malware, Nerbian RAT and MiniNerbian. Those tools operate under the radar as they primarily reside on edge devices. This is part of an ongoing trend for threat actors to target unprotected areas.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. LinkedIn. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments