Magnet Goblin, a new hacking group, has surfaced by taking advantage of vulnerabilities in Ivanti Connect Secure VPN that was just made public (CVE-2023-46805 & CVE-2023-21887). It allowed the group to install unique Linux backdoors on susceptible devices. Magnet Goblin is known for employing similar strategies to target & profit from platforms such as Magento, Qlik Sense, etc.
Magnet Goblin’s tactic requires quick utilization of recently identified weaknesses to install backdoors on infected devices. Using these backdoors, the group can financially profit by stealing data or illegally accessing with the one-day vulnerabilities. It’s a financially motivated group of cybercriminals who exploit vulnerabilities in public servers & edge devices.
- CVE-2022-24086 – Magento.
- CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 in Qlik Sense.
- CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893 are the Ivanti Connect Secure codes.
Moreover, Magnet uses tools like NerbianRAT (cross-platform) for total remote control and MiniNerbian (Linux-specific) for backdoor access, which is part of their proprietary Nerbian malware family.
Past Magnet Goblin Campaign.
Public Servers’ Rapid Exploitation with Custom Malware
After looking into previous Ivanti exploits, researchers discovered downloads connected to the NerbianRAT malware Linux version. This malware could retrieve several malicious attack components from an attacker’s server. Also, the attackers’ malicious servers allowed them to obtain the malware’s new version once they discovered weaknesses.
- http://94.156.71[.]115/lxrt
- http://91.92.240[.]113/aparche2
- http://45.9.149[.]215/aparche2
It employs NerbianRAT with a customized WARPWIRE variant to get VPN details and commute them to the compromised Magento server. This stresses the utilization of several tools that Magnet Goblin uses.
WARPWIRE Variant which Magnet Goblin Uses.
Infrastructure Analysis:
Magnet Goblin's toolkit is not just limited to Linux; it also includes Windows versions. They use reputable programs like AnyDesk & ScreenConnect, which they download from their official website, to gain remote access. It's interesting to know that the IP addresses used to obtain ScreenConnect content match the ones found on hacked Qlik Sense servers. As a result, it points out a potentially larger exploitation effort.
Based on observed techniques and downloaded files, evidence points to potential connections to both the Cactus ransomware and Apache ActiveMQ vulnerabilities. BAT scripts that downloaded and ran AnyDesk were deployed via compromised Magento servers, demonstrating the wide range of techniques this Magnet Goblin employs.
Batch Script Deploying AnyDesk, Using a Hacked Magento Server.
The Linux backdoor known as “NerbianRAT” was first discovered in May 2022. It is not a counter-analysis technique and is not well disguised. When running, it creates a unique bot ID and gathers basic data about the compromised system. After decrypting the system’s working directory, NerbianRAT looks for a configuration file containing several settings, such as the address of the C2 server and the public key used for encryption.
NerbianRAT uses a unique protocol and raw TCP connections to communicate with its C2 server. Depending on the type of data being transferred, AES or RSA is used for encryption. The backdoor functions in 2 main modes: it transmits information to the C2 server and waits for instructions during business hours, and it may still send "ping" messages to the server after hours.
MiniNerbian makes NerbianRAT easier to use for executing commands. It updates configuration, modifies its internal time flag, and executes system commands by sending HTTP POST requests to its C2 server.
Code similarity between NerbianRAT and MiniNerbian.
The difficulty in identifying particular actions in between opportunistic pervasive exploitation attacks comes from the attributional & technical intricacies involved in cybersecurity. Cybersecurity experts sometimes miss out on the actions of hackers who take advantage of certain circumstances in favor of mitigation & reaction.
A recent example of this is the way that several hacking groups exploited the vulnerability in Ivanti Secure Connect VPN before the appliances were fixed. Driven by greed, Magnet Goblin quickly took advantage of 1-day vulnerabilities to spread specialized Linux malware to mostly targeted vulnerable edge devices.
IOCs:
IOC Type |
IOC Value |
IOC Description |
IP |
91.92.240[.]113 |
Magnet Goblin Infra |
IP |
45.9.149[.]215 |
Magnet Goblin Infra |
IP |
94.156.71[.]115 |
Magnet Goblin Infra |
URL |
http://91.92.240[.]113/auth.js |
Magnet Goblin Infra |
URL |
http://91.92.240[.]113/login.CGI |
Magnet Goblin Infra |
URL |
http://91.92.240[.]113/aparche2 |
Magnet Goblin Infra |
URL |
http://91.92.240[.]113/agent |
Magnet Goblin Infra |
URL |
http://45.9.149[.]215/aparche2 |
Magnet Goblin Infra |
URL |
http://45.9.149[.]215/agent |
Magnet Goblin Infra |
URL |
http://94.156.71[.]115/lxrt |
Magnet Goblin Infra |
URL |
http://94.156.71[.]115/agent |
Magnet Goblin Infra |
URL |
http://94.156.71[.]115/instali.ps1 |
Magnet Goblin Infra |
URL |
http://94.156.71[.]115/ligocert.dat |
Magnet Goblin Infra |
URL |
http://94.156.71[.]115/angel.dat |
Magnet Goblin Infra |
URL |
http://94.156.71[.]115/windows.xml |
Magnet Goblin Infra |
URL |
http://94.156.71[.]115/instal1.ps1 |
Magnet Goblin Infra |
URL |
http://94.156.71[.]115/Maintenance.ps1 |
Magnet Goblin Infra |
URL |
http://94.156.71[.]115/baba.dat |
Magnet Goblin Infra |
URL |
**http://**oncloud-analytics[.]com/files/mg/elf/RT1.50.png |
Magnet Goblin Infra |
URL |
http://cloudflareaddons[.]com/assets/img/Image_Slider15.1.png |
Magnet Goblin Infra |
Domain |
mailchimp-addons[.]com |
MiniNerbian C2 |
Domain |
allsecurehosting[.]com |
MiniNerbian C2 |
Domain |
dev-clientservice[.]com |
MiniNerbian C2 |
Domain |
oncloud-analytics[.]com |
MiniNerbian C2 |
Domain |
cloudflareaddons[.]com |
MiniNerbian C2 |
Domain |
textsmsonline[.]com |
MiniNerbian C2 |
Domain |
proreceive[.]com |
MiniNerbian C2 |
IP |
172.86.66[.]165 |
NerbianRAT C2 |
IP |
45.153.240[.]73 |
NerbianRAT C2 |
SHA256 |
027d03679f7279a2c505f0677568972d30bc27daf43033a463fafeee0d7234f6 |
NerbianRAT |
SHA256 |
9cb6dc863e56316364c7c1e51f74ca991d734dacef9029337ddec5ca684c1106 |
NerbianRAT |
SHA256 |
9d11c3cf10b20ff5b3e541147f9a965a4e66ed863803c54d93ba8a07c4aa7e50 |
NerbianRAT |
SHA256 |
d3fbae7eb3d38159913c7e9f4c627149df1882b57998c8acaac5904710be2236 |
MiniNerbian |
SHA256 |
df91410df516e2bddfd3f6815b3b4039bf67a76f20aecabccffb152e5d6975ef |
MiniNerbian |
SHA256 |
99fd61ba93497214ac56d8a0e65203647a2bc383a2ca2716015b3014a7e0f84d |
MiniNerbian |
SHA256 |
9ff0dcce930bb690c897260a0c5aaa928955f4ffba080c580c13a32a48037cf7 |
MiniNerbian |
SHA256 |
3367a4c8bd2bcd0973f3cb22aa2cb3f90ce2125107f9df2935831419444d5276 |
MiniNerbian |
SHA256 |
f23307f1c286143b974843da20c257901cf4be372ea21d1bb5dea523a7e2785d |
MiniNerbian |
SHA256 |
f1e7c1fc06bf0ea40986aa20e774d6b85c526c59046c452d98e48fe1e331ee4c |
MiniNerbian |
SHA256 |
926aeb3fda8142a6de8bc6c26bc00e32abc603c21acd0f9b572ec0484115bb89 |
MiniNerbian |
SHA256 |
894ab5d563172787b052f3fea17bf7d51ca8e015b0f873a893af17f47b358efe |
MiniNerbian |
SHA256 |
1079e1b6e016b070ebf3e1357fa23313dcb805d3a6805088dbc3ab6d39330548 |
WARPWIRE |
SHA256 |
e134e053a80303d1fde769e50c2557ade0852fa827bed9199e52f67bac0d9efc |
WARPWIRE |
URL |
www.fernandestechnical[.]com/pub/health_check.php |
Compromised Server |
URL |
biondocenere[.]com/pub/health_check.php |
Compromised Server |
URL |
****www.miltonhouse[.]nl/pub/opt/processor.php |
Compromised Server |
URL |
https://theroots[.]in/pub/media/avatar/223sam.jpg |
Compromised Server |
SHA256 |
7967def86776f36ab6a663850120c5c70f397dd3834f11ba7a077205d37b117f |
Tools & Scripts |
SHA256 |
9895286973617a79e2b19f2919190a6ec9afc07a9e87af3557f3d76b252292df |
Tools & Scripts |
SHA256 |
bd9edc3bf3d45e3cdf5236e8f8cd57a95ca3b41f61e4cd5c6c0404a83519058e |
Tools & Scripts |
SHA256 |
b35f11d4f54b8941d4f1c5b49101b67b563511a55351e10ad4ede17403529c16 |
Tools & Scripts |
SHA256 |
7b1d1e639d1994c6235d16a7ac583e583687660d7054a2a245dd18f24d10b675 |
Tools & Scripts |
SHA256 |
8fe1ed1e34e8758a92c8d024d73c434665a03e94e5eb972c68dd661c5e252469 |
Tools & Scripts |
SHA256 |
fa317b071da64e3ee18d82d3a6a216596f2b4bca5f4d3277a091a137d6a21c45 |
Tools & Scripts |
Join our TTB Community on LinkedIn for more such interesting articles.