A cyber campaign known as “J-magic” has recently been uncovered targeting high-end Juniper routers with a sophisticated backdoor attack that utilizes a passive monitoring agent. This operation, which was first identified in September 2023, involves a variation of the cd00r backdoor that continuously scans for specific “magic packets” within TCP traffic.
The malware, disguised as “JunoscriptService,” functions by setting up an eBPF filter on designated interfaces and ports. Once installed, it changes its name to “[nfsiod 0]” in an attempt to blend in with legitimate NFS processes. The backdoor keeps an eye on incoming TCP traffic for five specific predefined parameters, and when a matching “magic packet” is detected, it triggers a secondary challenge before creating a reverse shell.
The primary targets of this campaign have been organizations utilizing Juniper routers as VPN gateways, with around 50% of the affected devices serving this purpose. The attackers have focused on industries such as semiconductor, energy, manufacturing, and IT, with victims located in various countries. The attackers have shown a particular interest in devices that could act as network intersections, potentially providing them with deeper access into corporate networks.
A report from Lumen highlights the unique operational security measures implemented by the J-magic malware. It incorporates a distinct RSA challenge mechanism that necessitates attackers to provide the correct response to a five-character random string encrypted with a hardcoded public key. This feature seems to be designed to prevent unauthorized individuals from taking control of compromised systems, showcasing a development in tactics compared to previous versions.
The campaign has been active from mid-2023 through at least mid-2024, with telemetry data indicating that less than 0.01% of analyzed netflow corresponds to potential compromises across 36 different IP addresses worldwide. While there are some technical similarities with the SeaSpy2 malware family, researchers are cautious about making direct attributions due to the limited technical overlap.
In conclusion, the J-magic cyber campaign targeting Juniper routers with a backdoor attack showcases the increasing sophistication of cyber threats targeting enterprise-grade systems. Organizations using such routers as VPN gateways should remain vigilant and take proactive measures to safeguard their networks against such malicious activities.