Magnet Goblin Exploits 1-Day Bugs, Deploys Nerbian RAT

Diving into details

• This particular instance was an Ivanti Connect Secure exploitation campaign that resulted in the deployment of a Linux version of a malware called NerbianRAT and a JavaScript credential stealer named WARPWIRE. 
• Magnet Goblin’s arsenal also includes MiniNerbian, a small Linux backdoor, and RMM tools for Windows.
• After gaining unauthorized access through unpatched servers, the threat actor deploys the Nerbian RAT and MiniNerbian to execute arbitrary commands and exfiltrate data from compromised hosts.
• The campaign seems to be financially motivated, and the attackers are focusing on areas that have typically been left unprotected.
• The group's use of 1-day vulnerabilities and custom Linux malware highlights a trend of targeting previously unprotected edge devices for financial gain.

Beware of these latest threats

• Most recently, the North Korean Kimsuky APT group was found exploiting vulnerabilities in ConnectWise ScreenConnect software to deploy ToddlerShark malware for long-term espionage and data exfiltration.
• The ToddlerShark malware uses polymorphic traits, legitimate Microsoft binaries, and unique C2 URLs, making it challenging to detect and establish persistence on infected devices.
• In February, a campaign by the hacking group UAC-0184 used steganography to deliver the Remcos RAT to a Ukrainian entity in Finland. 
• The attack began with phishing emails impersonating Ukrainian and Israeli military entities, leading to the download of the IDAT Loader.

The bottom line