Magnet Goblin, a financially motivated threat group, has been making waves in the cybersecurity world by swiftly leveraging one-day security vulnerabilities to infiltrate edge devices and public-facing services. Their modus operandi involves exploiting newly disclosed vulnerabilities, often within a day of their publication, to breach systems and deploy malware.
According to Check Point, Magnet Goblin’s ability to deploy exploits quickly after a proof-of-concept is released significantly raises the threat level posed by this group. Their attacks have targeted servers running unpatched versions of Ivanti Connect Secure VPN, Magento, Qlik Sense, and potentially Apache ActiveMQ, using these vulnerabilities as entry points.
Once inside a system, Magnet Goblin wastes no time in deploying the Nerbian RAT, a remote access trojan that can run on multiple platforms. First brought to light by Proofpoint in May 2022, Nerbian RAT allows attackers to execute arbitrary commands received from a command-and-control server and exfiltrate the results.
Darktrace has previously highlighted the use of the Linux version of Nerbian RAT by Magnet Goblin. The group also employs a simplified variant called MiniNerbian.
In addition to these tactics, Magnet Goblin utilizes other tools like the WARPWIRE JavaScript credential stealer, the Ligolo tunneling software based on Go, and legitimate remote desktop solutions such as AnyDesk and ScreenConnect.
Check Point notes that Magnet Goblin’s campaigns are primarily financially motivated. By quickly adopting one-day vulnerabilities to deploy their custom Linux malware, Nerbian RAT and MiniNerbian, Magnet Goblin has managed to operate under the radar, largely targeting edge devices. This trend underscores the group’s focus on exploiting less protected areas, which until now have been overlooked by many threat actors.
