Researchers have unearthed Linux malware that circulated in the wild for at least two years before being identified as a credential stealer that's installed by the exploitation of recently patched vulnerabilities.
The newly identified malware is a Linux variant of NerbianRAT, a remote access Trojan first described in 2022 by researchers at security firm Proofpoint.
Last Friday, Checkpoint Research revealed that the Linux version has existed since at least the same year, when it was uploaded to the VirusTotal malware identification site.
Attackers in this scenario reverse engineer security updates, or copy associated proof-of-concept exploits, for use against devices that have yet to install the patches.
Checkpoint also identified MiniNerbian, a smaller version of NerbianRAT for Linux that's used to backdoor servers running the Magento ecommerce server, primarily for use as command-and-control servers that devices infected by NerbianRAT connect to.
Researchers elsewhere have reported encountering servers that appear to have been compromised with MiniNerbian, but Checkpoint Research appears to have been the first to identify the underlying binary.
Checkpoint discovered the Linux malware while researching recent attacks that exploit critical vulnerabilities in Ivanti Secure Connect, which have been under mass exploitation since early January.
In the past, Magnet Goblin has installed the malware by exploiting one-day vulnerabilities in Magento, Qlink Sense, and possibly Apache ActiveMQ. In the course of its investigation into the Ivanti exploitation, Checkpoint found the Linux version of NerbianRAT on compromised servers that were under the control of Magnet Goblin.
The Linux variants connect back to the attacker-controlled IP 172.86.66[.]165. Besides deploying NerbianRAT, Magnet Goblin also installed a custom variant of malware tracked as WarpWire, a piece of stealer malware recently reported by security firm Mandiant.
The variant Checkpoint encountered stole VPN credentials and sent them to a server at the domain miltonhouse[.
Nl. NerbianRAT Windows featured robust code that took pains to hide itself and to prevent reverse engineering by rivals or researchers.
This Cyber News was published on packetstormsecurity.com. Publication date: Tue, 12 Mar 2024 16:28:06 +0000