– Mar 12, 2024 12:33 am UTC
Researchers have unearthed Linux malware that circulated in the wild for at least two years before being identified as a credential stealer that’s installed by the exploitation of recently patched vulnerabilities.
The newly identified malware is a Linux variant of NerbianRAT, a remote access Trojan first described in 2022 by researchers at security firm Proofpoint. Last Friday, Checkpoint Research revealed that the Linux version has existed since at least the same year, when it was uploaded to the VirusTotal malware identification site. Checkpoint went on to conclude that Magnet Goblin—the name the security firm uses to track the financially motivated threat actor using the malware—has installed it by exploiting “1-days,” which are recently patched vulnerabilities. Attackers in this scenario reverse engineer security updates, or copy associated proof-of-concept exploits, for use against devices that have yet to install the patches.
Checkpoint also identified MiniNerbian, a smaller version of NerbianRAT for Linux that’s used to backdoor servers running the Magento ecommerce server, primarily for use as command-and-control servers that devices infected by NerbianRAT connect to. Researchers elsewhere have reported encountering servers that appear to have been compromised with MiniNerbian, but Checkpoint Research appears to have been the first to identify the underlying binary.
“Magnet Goblin, known for its financially motivated campaigns, quickly uses 1-day vulnerabilities to dispense their unique Linux malware, NerbianRAT and MiniNerbian,” according to researchers from Checkpoint. They report that, “These tools mostly operate under the radar as they are primarily found on edge devices. This indicates a growing trend of threat actors targeting previously unprotected areas.”
Checkpoint discovered the Linux malware in the course of examining recent attacks exploiting critical vulnerabilities in Ivanti Secure Connect. These have been subjected to widespread exploitation since the beginning of January. Previously, Magnet Goblin has deployed the malware by taking advantage of 1-day vulnerabilities in Magento, Qlink Sense, and potentially Apache ActiveMQ.
In their investigation into the exploitation of Ivanti, Checkpoint identified the Linux version of NerbianRAT on compromised servers controlled by Magnet Goblin. The associated URLs are as follows:
http://91.92.240[.]113/aparche2
http://45.9.149[.]215/aparche2
The Linux versions reconnect to the IP controlled by the attacker 172.86.66[.]165.
In addition to deploying NerbianRAT, Magnet Goblin also launched a customized version of a malware known as WarpWire. This is a stealer malware recently identified by the security company Mandiant. The variant found by Checkpoint pilfered VPN credentials and dispatched them to a server located in the miltonhouse[.]nl domain.
The Windows version of NerbianRAT came equipped with sturdy code designed to conceal itself and obstruct reverse engineering by competitors or investigators.
“Compared to its Windows counterpart, the Linux rendition has barely any security measures,” declared Checkpoint. “It is clumsily compiled with DWARF debugging details, which permits researchers to examine, among other things, function names and global variable names.”
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
