“Check Point Research has been tracking these exploitations and identified several activity clusters targeting vulnerable Connect Secure VPN appliances,” CheckPoint added. “As in many other mass-exploitation of 1-day vulnerabilities cases, differentiating and identifying the different actors is quite challenging.”
CheckPoint could make the connection between the exploits with Magnet Goblin only after it traced several activities leading to the download and deployment of an ELF file, apparently a Linux version of NerbianRAT, a technique consistent with Magnet Goblin’s TTPs.
“In addition to Ivanti, Magnet Goblin historically targeted Magento, Qlik Sense, and possibly Apache ActiveMQ to deploy its custom malware for Linux, as well as Remote Monitoring and Management software such as ConnectWises ScreenConnect,” CheckPoint added. “Some of these activities were publicly described but were not linked to any particular actor.”
Dropping custom Linux malware
Magnet Goblin hackers use malware belonging to a custom malware family called Nerbian. This family includes NerbianRAT, a cross-platform Remote Access Trojan (RAT) with variants for Windows and Linux, and MiniNerbian, a small Linux backdoor, according to CheckPoint.
CheckPoint noticed that the initial infection with 1-day vulnerabilities led to downloading further payloads on the affected system. Among the downloaded payloads was a NerbianRAT Linux variant.
“A new NerbianRAT variant was downloaded from attacker-controlled servers following the exploitation,” CheckPoint added.