0
0
Unearthing Linux Malware in the Wild
Researchers have made a significant discovery of Linux malware that managed to circulate undetected for a minimum of two years before being recognized as a credential stealer. This particular malware was identified as a variant of NerbianRAT, which was initially documented in 2022 by security experts at Proofpoint. Checkpoint Research recently unveiled the existence of the Linux version, stating that it has been active since at least the same year when it was uploaded to the VirusTotal malware identification platform.
The Rise of Magnet Goblin
Referred to as Magnet Goblin by the security firm Checkpoint, the financially motivated threat actor behind this malware has been swiftly adopting “1-day” vulnerabilities to deploy its custom Linux malware, including NerbianRAT and MiniNerbian. These vulnerabilities are essentially recently patched security holes that attackers exploit by reverse engineering security updates or utilizing proof-of-concept exploits. By taking advantage of these flaws, Magnet Goblin successfully installs the malware on devices that have not yet applied the necessary patches.
MiniNerbian Emerges
Furthermore, researchers identified MiniNerbian, a downsized version of NerbianRAT tailored for Linux systems, particularly targeting servers that run the Magento ecommerce server. These servers serve as command and control centers for devices infected by NerbianRAT. While previous reports had hinted at the presence of compromised servers using MiniNerbian, Checkpoint Research was the first to uncover the underlying binary code of this malicious software.
Exploiting Critical Vulnerabilities
Checkpoint’s investigation into these activities led them to uncover the Linux version of NerbianRAT on compromised servers that were controlled by Magnet Goblin. This discovery was made while examining recent attacks exploiting crucial vulnerabilities in the Ivanti Secure Connect software suite, which has been under widespread exploitation since early January. Magnet Goblin has previously leveraged 1-day vulnerabilities in Magento, Qlink Sense, and possibly Apache ActiveMQ to facilitate the installation of their malware.
Unveiling WarpWire
Aside from deploying NerbianRAT, Magnet Goblin also implemented a custom variant of malware known as WarpWire. This particular strain of malware, identified in a recent report by Mandiant, specializes in stealing VPN credentials, which are then transmitted to a server hosted at the domain miltonhouse.nl.
Code Discrepancies
Comparing the Windows version of NerbianRAT to its Linux counterpart, researchers noted significant differences. Whereas the Windows version featured robust code designed to conceal itself and deter reverse engineering efforts, the Linux variant lacked protective measures. It was notably compiled with DWARF debugging information, making function and variable names easily accessible to researchers.
Image/Photo credit: source url
