Magnet Goblin Exploits 1-Day Vulnerabilities for Financial Gain

Cyber Attack

A financially motivated threat group known as Magnet Goblin has gained attention for its rapid adoption of newly disclosed vulnerabilities to breach edge devices and public-facing servers. According to cybersecurity firm Check Point reports, Magnet Goblin demonstrates a swift capability in leveraging these vulnerabilities, often deploying exploits within a day of their proof-of-concept publication.

The group's modus operandi involves targeting unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and potentially Apache ActiveMQ servers to initiate unauthorized access. Magnet Goblin's activities have been ongoing since at least January 2022.

Upon successful exploitation, Magnet Goblin deploys a cross-platform remote access trojan (RAT) named Nerbian RAT and its simplified version, MiniNerbian. These RATs enable the execution of arbitrary commands received from a command-and-control (C2) server and facilitate the exfiltration of results back to the server.

In addition to Nerbian RAT and MiniNerbian, Magnet Goblin employs various other tools, including the WARPWIRE JavaScript credential stealer, Ligolo, a Go-based tunnelling software, as well as legitimate remote desktop solutions like AnyDesk and ScreenConnect.

The group's campaigns are primarily driven by financial motives, focusing on exploiting 1-day vulnerabilities to distribute their custom Linux malware. These tools, operating largely on edge devices, have flown under the radar, representing a broader trend among threat actors to target previously overlooked areas of vulnerability.

As Magnet Goblin continues to evolve its tactics, cybersecurity experts emphasize the importance of timely patching and robust security measures to mitigate the risk posed by such threat actors.