A financially motivated threat actor known as Magnet Goblin is exploiting known vulnerabilities to target public-facing services and deliver custom malware to unpatched Windows and Linux systems, including recently discovered Ivanti Connect Secure VPN flaws. The group deploys custom Windows and Linux malware, such as NerbianRAT and MiniNerbian, and leverages legitimate remote monitoring and management tools. Researchers have observed the group's quick adoption of 1-day vulnerabilities to deliver their custom Linux malware, targeting areas that have been left unprotected.
Researchers have discovered a previously unseen Linux variant of the NerbianRAT malware, which has been circulating for at least two years and is installed through the exploitation of recently patched vulnerabilities. The malware, attributed to the threat actor Magnet Goblin, is used to steal credentials and has been deployed through 1-day vulnerabilities in various software, including Ivanti Secure Connect, Magento, and Qlink Sense. Checkpoint Research also identified a smaller version of the malware, MiniNerbian, used for backdooring servers running the Magento ecommerce platform. The Linux version of NerbianRAT lacks protective measures and has been observed stealing VPN credentials and connecting to attacker-controlled IPs.
The financially motivated hacking group Magnet Goblin is exploiting 1-day vulnerabilities to deploy custom malware on Windows and Linux systems, targeting devices and services such as Ivanti Connect Secure, Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense, and Magento. The group uses custom malware including NerbianRAT and MiniNerbian, with a Linux variant of NerbianRAT identified. Check Point warns that identifying such threats among the volume of 1-day exploitation data is challenging, emphasizing the importance of quick patching and additional security measures to mitigate potential breaches.
Chinese hacker group Earth Lusca has been targeting government agencies worldwide with a new Linux backdoor called SprySOCKS. The malware, which originated from the Trochilus Windows malware, has been adapted for Linux systems and combines features from other malware. Earth Lusca exploits n-day vulnerabilities to gain initial access and deploys Cobalt Strike beacons for remote access. The SprySOCKS loader is dropped to establish persistence and perform various malicious activities, including collecting system information, starting an interactive shell, managing SOCKS proxy configurations, and conducting basic file operations. Organizations are advised to apply security updates to prevent compromise from Earth Lusca.
