A financially motivated threat actor called “Magnet Goblin” is targeting public-facing servers with one-day vulnerabilities to deploy Linux backdoors and credential stealers.

According to Check Point’s recent report, the threat actor has attacked Ivanti, Magento, Qlink Sense business analytics servers, and, possibly, Apache ActiveMQ servers to gain unauthorized access.

“At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published,” the researchers noted.

CVE-2024-21887 is an OS command injection issue that can be abused for remote arbitrary shell command execution. Previously, the China-linked state-backed threat actor UNC5221/UTA0178 was observed exploiting this flaw together with CVE-2023-46805 to install web shells and backdoors on compromised Ivanti Connect Secure VPN devices.

The campaign spotted by Check Point involved the threat deploying a novel Linux version of a malware called ‘NerbianRAT’, in addition to a JavaScript credential stealer called ‘Warpwire.’ The attacker’s arsenal also includes MiniNerbian, a small Linux backdoor, and remote monitoring and management (RMM) tools for Windows like ScreenConnect and AnyDesk.

The list of security vulnerabilities weaponized by Magnet Goblin includes: Magento (CVE-2022-24086), Qlik Sense (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893). It’s worth noting that the trio of bugs in Qlik Sense were previously exploited in Cactus ransomware attacks for initial access to enterprise servers.

Check Point said it first uncovered the criminal gang while it was tracking the Ivanti Connect Secure vulnerabilities.

In the Ivanti and Magencto exploitation campaigns, the threat actor downloaded a Linux version of NerbianRAT, a version of the Warwire JavaScript credential stealer, and a Go-based open-source tunneling tool called ‘Ligolo.’

“In addition to possible links to the Qlik Sense exploitation, other files visible on Nerbian-associated servers suggest the threat actor likely attempted to exploit Apache ActiveMQ servers,” the researchers noted.

First spotted in 2022, NerbianRAT comes in Windows and Linus versions. Unlike the Windows variant, the Linux version barely has any protective measures. It is compiled with DWARF debugging information, which allows to view, among other things, function names and global variable names.

MiniNerbian is a simplified version of NerbianRAT designed only for command execution.

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian. Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected,” Check Piont cautions.