Rewterz Threat Alert – Nerbian RAT Distributed by Magnet Goblin Threat Group by Abusing 1-Day Exploits – Active IOCs

Severity

High

Analysis Summary

The emergence of Magnet Goblin, a financially motivated threat actor group, has been exploiting newly disclosed vulnerabilities that particularly target public-facing servers and edge devices to propagate Nerbian RAT malware.

This proactive approach often involves deploying exploits within a mere day of their discovery. It significantly amplifies the risk posed by Magnet Goblin as it minimizes the window of opportunity for defenders to patch or mitigate vulnerabilities. Notably, the group has demonstrated proficiency in leveraging vulnerabilities in platforms such as Ivanti Connect Secure VPN, Magento, Qlik Sense, and Apache ActiveMQ servers, highlighting a diverse range of targets.

Upon successful exploitation, Magnet Goblin deploys a cross-platform remote access trojan (RAT) known as Nerbian RAT and its simplified variant, MiniNerbian. These tools enable the threat actor to execute arbitrary commands and exfiltrate data, thus establishing a foothold within compromised systems. The adoption of such malware underscores Magnet Goblin’s sophistication and adaptability in crafting custom Linux-based malware, reflecting a calculated effort to maintain persistence and evade detection. Security researchers note that the group’s utilization of other tools such as the WARPWIRE JavaScript credential stealer and Ligolo (a Go-based tunneling software) showcases a multi-faceted approach to compromising systems and exfiltrating sensitive information.

Furthermore, Magnet Goblin’s choice of targets that are particularly edge devices indicates a strategic shift towards exploiting areas of the infrastructure that have historically been less fortified. By infiltrating these overlooked segments of the network, the threat actor group aims to operate stealthily and persistently, evading traditional security measures. This trend highlights the importance of holistic security strategies encompassing core infrastructure and peripheral devices and services.

The financially motivated nature of Magnet Goblin’s campaigns emphasizes the lucrative incentives driving cybercriminal activity, highlighting the need for organizations to remain vigilant and proactive in defending against evolving threats. By understanding the tactics and techniques employed by threat actor groups like Magnet Goblin, defenders can better fortify their defenses and mitigate the risks posed by financially motivated cybercrime.

Impact

• Unauthorized Access
• Financial Loss
• Command Execution

Indicators of Compromise

MD5

• cd9bd8c39385e338ccdb0dae369d8518
• 026f376489bcb2a3c0b3a64235885652
• b7cc7f2d57e3aa997f2d9d2a0fdfacbe
• bcb71c0461d4b017274598fd046f221b
• 9d0877c669b87655b3824cae48a7a0de
• ba510fbcad78bc6454cd9020eccbe598
• 0cc9218e204901fcde8946974fa3e230
• 547d33c786bafa2dd549f71319226b34

SHA-256

• 027d03679f7279a2c505f0677568972d30bc27daf43033a463fafeee0d7234f6
• 9cb6dc863e56316364c7c1e51f74ca991d734dacef9029337ddec5ca684c1106
• 9d11c3cf10b20ff5b3e541147f9a965a4e66ed863803c54d93ba8a07c4aa7e50
• d3fbae7eb3d38159913c7e9f4c627149df1882b57998c8acaac5904710be2236
• df91410df516e2bddfd3f6815b3b4039bf67a76f20aecabccffb152e5d6975ef
• 99fd61ba93497214ac56d8a0e65203647a2bc383a2ca2716015b3014a7e0f84d
• 9ff0dcce930bb690c897260a0c5aaa928955f4ffba080c580c13a32a48037cf7
• 3367a4c8bd2bcd0973f3cb22aa2cb3f90ce2125107f9df2935831419444d5276

SHA-1

• 98a343813cc9bf8d2b212acc3b27ff345d38d59f
• 70a309c7fce5f3db4c6e5bf06a746afa41eb931b
• 69294fbf050cd8cebe99650c8e05889c489667e6
• 5fad4e59edefb9c5f400be281d88f4d7a7340895
• 0b5e5b94c5926a8edadb45f784530a42a90178e8
• 3677ed8b95b9781bd149a4c3bb9ac02f7adfd3d0
• ef79ba3fd603fb9d82dc2c85339b390edbfba09b
• 282d84d84986fd49a0b711d847de9c1625ef7031

URL

• http://91.92.240.113/auth.js
• http://91.92.240.113/login.cgi
• http://91.92.240.113/aparche2
• http://91.92.240.113/agent
• http://45.9.149.215/aparche2
• http://cloudflareaddons.com/assets/img/Image_Slider15.1.png

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Use network segmentation to isolate critical systems and limit access to sensitive data and resources.
• Conduct regular cybersecurity awareness training sessions for employees to educate them about phishing scams, malicious attachments, and the importance of following security protocols.