Linux Malware Installed via Exploiting Recently Patched Vulnerabilities

0 0
Read Time:2 Minute

Unearthing Linux Malware in the Wild

Researchers have made a significant discovery of Linux malware that managed to circulate undetected for a minimum of two years before being recognized as a credential stealer. This particular malware was identified as a variant of NerbianRAT, which was initially documented in 2022 by security experts at Proofpoint. Checkpoint Research recently unveiled the existence of the Linux version, stating that it has been active since at least the same year when it was uploaded to the VirusTotal malware identification platform.

The Rise of Magnet Goblin

Referred to as Magnet Goblin by the security firm Checkpoint, the financially motivated threat actor behind this malware has been swiftly adopting “1-day” vulnerabilities to deploy its custom Linux malware, including NerbianRAT and MiniNerbian. These vulnerabilities are essentially recently patched security holes that attackers exploit by reverse engineering security updates or utilizing proof-of-concept exploits. By taking advantage of these flaws, Magnet Goblin successfully installs the malware on devices that have not yet applied the necessary patches.

MiniNerbian Emerges

Furthermore, researchers identified MiniNerbian, a downsized version of NerbianRAT tailored for Linux systems, particularly targeting servers that run the Magento ecommerce server. These servers serve as command and control centers for devices infected by NerbianRAT. While previous reports had hinted at the presence of compromised servers using MiniNerbian, Checkpoint Research was the first to uncover the underlying binary code of this malicious software.

See also
BlackRock and Fidelity Bitcoin ETFs Break Records

Exploiting Critical Vulnerabilities

Checkpoint’s investigation into these activities led them to uncover the Linux version of NerbianRAT on compromised servers that were controlled by Magnet Goblin. This discovery was made while examining recent attacks exploiting crucial vulnerabilities in the Ivanti Secure Connect software suite, which has been under widespread exploitation since early January. Magnet Goblin has previously leveraged 1-day vulnerabilities in Magento, Qlink Sense, and possibly Apache ActiveMQ to facilitate the installation of their malware.

Unveiling WarpWire

Aside from deploying NerbianRAT, Magnet Goblin also implemented a custom variant of malware known as WarpWire. This particular strain of malware, identified in a recent report by Mandiant, specializes in stealing VPN credentials, which are then transmitted to a server hosted at the domain miltonhouse.nl.

Code Discrepancies

Comparing the Windows version of NerbianRAT to its Linux counterpart, researchers noted significant differences. Whereas the Windows version featured robust code designed to conceal itself and deter reverse engineering efforts, the Linux variant lacked protective measures. It was notably compiled with DWARF debugging information, making function and variable names easily accessible to researchers.

Image/Photo credit: source url

About Post Author

Chris Jones

Hey there! 👋 I'm Chris, 34 yo from Toronto (CA), I'm a journalist with a PhD in journalism and mass communication. For 5 years, I worked for some local publications as an envoy and reporter. Today, I work as 'content publisher' for InformOverload. 📰🌐 Passionate about global news, I cover a wide range of topics including technology, business, healthcare, sports, finance, and more. If you want to know more or interact with me, visit my social channels, or send me a message.
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %