NerbianRAT Linux Malware

A group known as the Magnet Goblin, which is a financially motivated threat actor, employs various 1-day vulnerabilities to infiltrate servers accessible to the public. They specialize in targeting both Windows and Linux systems, deploying customized malware once inside the targeted system. These vulnerabilities are usually 1-day flaws and are weaknesses that have been publicly disclosed with patches already available. To effectively exploit these flaws, threat actors must act swiftly before potential targets can implement the released security updates.

The Magnet Goblin Exploits a Large Number of Vulnerabilities to Drop a Custom NerbianRAT Variant

Typically, exploits aren't readily accessible immediately upon the disclosure of a flaw. However, certain vulnerabilities are relatively easy to exploit, and reverse-engineering the patch can unveil the underlying issue and its exploitable aspects. Information security analysts who have been researching the Magnet Goblin note that these actors move swiftly to exploit newly disclosed vulnerabilities, sometimes within a day of a Proof of Concept (PoC) exploit being released.

The hackers target a range of devices and services, including Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893), Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense (CVE-2023-41265, CVE-2023-41266, CVE-2023-48365) and Magento (CVE-2022-24086).

The Magnet Goblin utilizes these vulnerabilities to infiltrate servers with tailored malware, such as NerbianRAT and MiniNerbian, along with a customized version of the WARPWIRE JavaScript stealer.

The NerbianRAT can Perform Numerous Threatening Functions

Since 2022, researchers have been aware of NerbianRAT for Windows. However, they now reveal that a crudely compiled yet effective Linux variant utilized by Magnet Goblin has been circulating since May 2022.

Upon initialization, the malware undertakes initial actions, such as gathering system information like time, username, and machine name, generating a bot ID, setting a hardcoded IP address as primary and secondary hosts, establishing the working directory, and loading a public RSA key for encrypting network communication.

Following this, NerbianRAT loads its configuration, which dictates activity times (worktime), intervals for communication with the command and control (C2) server, and other parameters.

The C2 may issue one of several commands to the malware for execution on the infected system:

• Request additional actions
•  Execute a Linux command in a new thread
•  Send command results and clear the file; halt any ongoing commands
•  Immediately execute a Linux command
•  Take no action
•  Modify the connection interval
•  Adjust and save worktime settings
•  Provide idle timings, configuration or command results
•  Update a specific configuration variable
•  Refresh the command buffer for C2 execution commands

Frequent patching plays a vital role in preventing 1-day exploits. Moreover, implementing additional measures like network segmentation, endpoint protection, and multi-factor authentication can reduce the impact of potential breaches.

The Supplementary Malware Dropped Alongside NerbianRAT

MiniNerbian is a streamlined version of NerbianRAT, predominantly employed for command execution. Its functionality encompasses executing commands from the C2 and transmitting results, updating activity schedules (for full days or specific hours), and adjusting configurations. Unlike the more intricate NerbianRAT, MiniNerbian communicates with the C2 through HTTP instead of raw TCP sockets, potentially indicating that it serves as a choice for redundancy or as a covert backdoor in specific scenarios by Magnet Goblin.