BleepingComputer reports that Windows and Linux systems have been subjected to new attacks by the Magnet Goblin hacking operation that leveraged one-day vulnerabilities to facilitate malware distribution since 2022.
Magnet Goblin exploited flaws impacting Ivanti Connect Secure, Apache Active MQ, Qlik Sense, ConnectWise ScreenConnect, and Magento to deploy the NerbianRAT and MiniNerbian payloads, as well as a custom WARPWIRE JavaScript stealer variant, according to a Check Point report.
Further examination of Magnet Goblin's attacks revealed the group's utilization of a Linux variant of NerbianRAT, which enabled system information exfiltration, bot IT generation, and public RSA key creation for encryption. Follow-on configuration loading activities by NerbianRAT would then enable communication with the command-and-control server via raw TCP sockets allowing further action requests, Linux command execution, and command buffer refreshing, among others, said researchers. On the other hand, the simplified MiniNerbian payload uses HTTP to establish C2 communication and later allow command execution and configuration updates.
