A recent attack campaign targeting Juniper enterprise-grade routers has been discovered, with malicious actors exploiting a backdoor known as “J-magic” to gain unauthorized access to corporate networks. The campaign, dubbed the J-magic campaign, was active from mid-2023 until at least mid-2024 and targeted organizations in various industries including semiconductor, energy, manufacturing, and IT.
The J-magic backdoor, once uploaded to an infected router, disguises itself as the local NFS asynchronous I/O server to evade detection. It then waits for a specific command from the attacker, known as a “magic packet,” which triggers the creation of a reverse shell and opens a backdoor for remote access. The attacker must correctly answer a challenge in order to establish the connection, adding an extra layer of security to prevent unauthorized access.
Security researchers have linked the J-magic malware to a custom variant of cd00r, an old open-source project designed to create stealthy backdoors. This variant has been used by attackers in the past, including the creators of the SEASPY backdoor that targeted Barracuda Networks’ Email Security Gateway appliances in 2023. Despite efforts to analyze the malware, researchers have not yet determined how the attackers initially gained access to the Juniper devices to deploy the J-magic backdoor.
Enterprise-grade routers are attractive targets for cyberattacks due to their lack of host-based monitoring tools and long uptime, making them ideal for stealthy malware that resides in memory. Routers positioned at the edge of corporate networks or serving as VPN gateways are especially vulnerable, as compromising them can provide access to the entire network.
The rise of “magic packet” malware, such as J-magic, poses a significant threat to perimeter devices and network security. Similar techniques have been observed in other malware variants like BPFdoor and Symbiote, indicating a growing trend in using these tactics to evade detection and maintain long-term access to target networks.
While researchers have not definitively linked the SEASPY and J-magic malware to the same attackers, the increasing use of magic packet techniques highlights the need for improved awareness and defenses against such threats. As cybercriminals continue to evolve their tactics, organizations must stay vigilant and implement robust security measures to protect their networks from advanced attacks like the J-magic campaign.