New Magnet Goblin cybercrime crew is targeting Windows and Linux devices with all-new malware

The group’s location is not known at the time

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from Check Point haev discovered a new hacking collective deploying all-newmalwareon Windows and Linux devices.

Check Point says the previously-unknown group, dubbed Magnet Goblin, was leveraging 1-day vulnerabilities - flaws for which a patch was only recently released. In some instances, the group was leveraging flaws just a day after someone releases a proof-of-concept (PoC).

Some of the flaws Magnet Goblin was abusing includes those found in Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893, Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense (CVE-2023-41265, CVE-2023-41266, CVE-2023-48365), and Magento (CVE-2022-24086).

Securing the website

The group used the flaws to deploy unique malware, for both Windows and Linux, such as NerbianRAT, MiniNerbian, and WARPWIRE. While NerbianRAT isn’t exactly new, the researchers added that a Linux version only started circulating in mid-2022.

Here is a full list of the malware’s capabilities:

Request more actions from the command & control server (C2)Execute a Linux command in a new threadSend command result and clean the file; stop any running commandsExecute a Linux command immediatelyDo nothingModify connection intervalAdjust and save worktime settingsReturn idle timings, config, or command resultsUpdate a specific config variableRefresh command buffer for C2 execution commands

As for MiniNerbian, as the name suggests, it’s a stripped-down version of NerbianRAT, capable of:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Executing C2’s commands and returning resultsUpdating activity schedule (full day or specific hours)Updating configuration

Magnet Goblin is described as a financially-motivated actor, meaning it’s not state-sponsored and its goals aren’t aligned with any nation-state. It mostly targets healthcare, manufacturing, and energy organizations in the US, Check Point says. Speaking toThe Register, Sergey Shykevich, Check Point’s threat intelligence manager, said the researchers found fewer than 10 organizations in the US that fell victim to Magnet Goblin. “But we assume the real number is much higher,” he added.

“We think it is an opportunistic cybercrime group that we currently can’t affiliate to a specific geographical location or a known group,” Shykevich added. “This group was able to utilize the Ivanti exploit extremely quickly, just one day after a POC for it was published.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Quordle today – hints and answers for Saturday, November 9 (game #1020)