A financially motivated cyber threat, dubbed “Magnet Goblin” by Check Point researchers, is leveraging known vulnerabilities in on public-facing services to distribute tailored malware to unpatched Windows and Linux systems.
The Magnet Goblin threat actor, known for their persistent activity, has been exploiting a series of vulnerabilities, including two recently unearthed flaws in Ivanti Connect Secure VPN, which have become a favorite among attackers.
Magnet Goblin’s Arsenal of Exploited Vulnerabilities
Since their emergence in 2022, Magnet Goblin has been actively searching for vulnerabilities to exploit, initially targeting Magento servers through CVE-2022-24086. Subsequently, they expanded their arsenal, exploiting vulnerabilities in Qlik Sense and Ivanti Connect Secure VPN devices, including CVE-2023-41265, CVE-2023-41266, CVE-2023-48365, CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.
Employing a range of custom Windows and Linux malware, Magnet Goblin’s toolkit includes the notorious NerbianRAT and its Linux variant, MiniNerbian, both serving as remote access trojans (RATs) and backdoors for command execution. Despite being first detected in 2022, NerbianRAT continues to plague systems, with a Linux version emerging in May of the same year.
In addition to the above-mentioned exploits, Magnet Goblin leverages WARPWIRE credential harvester, Ligolo tunneling tool, and legitimate remote monitoring and management (RMM) utilities like ScreenConnect and AnyDesk.
Although researchers cannot definitively establish a link, Magnet Goblin’s tactics, techniques, and procedures (TTPs) bear resemblance to those employed in the Cactus ransomware campaign of December 2023, which singled out vulnerable internet-facing Qlik Sense instances.
The group’s adeptness at swiftly adopting 1-day vulnerabilities to distribute their custom Linux malware has allowed them to largely operate under the radar, primarily on edge devices.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: