Financially motivated threat actors are called magnet leprechaun are rapidly incorporating one-day security vulnerabilities into their arsenal to exploit them to compromise edge devices and public-facing services and deploy malware on compromised hosts.
“Threat group Magnet Goblin is characterized by its ability to quickly exploit newly disclosed vulnerabilities, particularly against public-facing servers and edge devices,” Check Point said.
“In some cases, exploits were deployed within 1 day after they occurred. [proof-of-concept] Following publication, the threat level posed by this actor increased significantly. “
The adversary’s attacks leveraged unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ servers as initial infection vectors to gain unauthorized access. The group is said to have been active since at least January 2022.
After successfully exploiting this vulnerability, a cross-platform remote access Trojan (RAT) called Nerbian RAT will be deployed. This Trojan was first disclosed by Proofpoint in May 2022, and its simplified variant is MiniNerbian. Darktrace has previously highlighted the use of the Linux version of the Nerbian RAT.
Both viruses allow the execution of arbitrary commands received from a command and control (C2) server and leak the results passed back to it.
Some other tools used by Magnet Goblin include the WARPWIRE JavaScript credential stealer, the Go-based tunneling software Ligolo, and legitimate remote desktop products such as AnyDesk and ScreenConnect.
“Magnet Goblin’s activities appear to be financially motivated, quickly exploiting 1-day vulnerabilities to spread their custom Linux malware, Nerbian RAT and MiniNerbian,” the company said.
“These tools operate under the radar because they mostly reside on edge devices. This is part of an ongoing trend of threat actors targeting hitherto unprotected areas.”
