November 23, 2024

DOUBLE-DUTY MALWARE — Never-before-seen Linux malware gets installed using 1-day exploits Discovery means that NerbianRAT is cross-platform used by for-profit threat group.

Dan Goodin – Mar 12, 2024 12:33 am UTC EnlargeGetty Images reader comments 21

Researchers have unearthed Linux malware that circulated in the wild for at least two years before being identified as a credential stealer thats installed by the exploitation of recently patched vulnerabilities.

The newly identified malware is a Linux variant of NerbianRAT, a remote access Trojan first described in 2022 by researchers at security firm Proofpoint. Last Friday, Checkpoint Research revealed that the Linux version has existed since at least the same year, when it was uploaded to the VirusTotal malware identification site. Checkpoint went on to conclude that Magnet Goblinthe name the security firm uses to track the financially motivated threat actor using the malwarehas installed it by exploiting 1-days, which are recently patched vulnerabilities. Attackers in this scenario reverse engineer security updates, or copy associated proof-of-concept exploits, for use against devices that have yet to install the patches.

Checkpoint also identified MiniNerbian, a smaller version of NerbianRAT for Linux thats used to backdoor servers running the Magento ecommerce server, primarily for use as command and control servers that devices infected by NerbianRAT connect to. Researchers elsewhere have reported encountering servers that appear to have been compromised with MiniNerbian, but Checkpoint Research appears to have been the first to identify the underlying binary. Advertisement

Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian, Checkpoint researchers wrote. Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.

Checkpoint discovered the Linux malware while researching recent attacks that exploit critical vulnerabilities in Ivanti Secure Connect, which have been under mass exploitation since early January. In the past, Magnet Goblin has installed the malware by exploiting one-day vulnerabilities in Magento, Qlink Sense, and possibly Apache ActiveMQ.

In the course of its investigation into the Ivanti exploitation, Checkpoint found the Linux version of NerbianRAT on compromised servers that were under the control of Magnet Goblin. URLs included:

http://94.156.71[.]115/lxrt
http://91.92.240[.]113/aparche2
http://45.9.149[.]215/aparche2

The Linux variants connect back to the attacker-controlled IP 172.86.66[.]165.

Besides deploying NerbianRAT, Magnet Goblin also installed a custom variant of malware tracked as WarpWire, a piece of stealer malware recently reported by security firm Mandiant. The variant Checkpoint encountered stole VPN credentials and sent them to a server at the domain miltonhouse[.]nl. EnlargeCheckpoint Research

NerbianRAT Windows featured robust code that took pains to hide itself and to prevent reverse engineering by rivals or researchers.

Unlike its Windows equivalent, the Linux version barely has any protective measures, Checkpoint said. It is sloppily compiled with DWARF debugging information, which allows researchers to view, among other things, function names and global variable names. Page: 1 2 Next → reader comments 21 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars