Saturday, February 8, 2025
HomeBackdoorJuniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

Published on

SIEM as a Service

Follow Us on Google News

A sophisticated cyber campaign dubbed “J-magic” has been discovered targeting enterprise-grade Juniper routers with a backdoor attack that leverages a passive monitoring agent.

The operation, first detected in September 2023, employs a variant of the cd00r backdoor that continuously scans for specific “magic packets” in TCP traffic.

Technical Implementation

The malware, masquerading as “JunoscriptService,” operates by establishing an eBPF filter on specified interfaces and ports.

Upon installation, it renames itself “[nfsiod 0]” to blend in with legitimate NFS processes.

The backdoor monitors incoming TCP traffic for five distinct predefined parameters, and when triggered by a matching “magic packet,” it initiates a secondary challenge before establishing a reverse shell.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The campaign has primarily focused on organizations using Juniper routers as VPN gateways, with approximately 50% of targeted devices serving this function.

The attackers strategically targeted semiconductor, energy, manufacturing, and IT sectors, with victims spread across multiple countries.

The operation demonstrated particular interest in devices that could serve as network crossroads, potentially enabling deeper access into corporate networks.

According to the Lumen report, what sets J-magic apart is its sophisticated operational security measures.

The malware implements a unique RSA challenge mechanism, requiring attackers to correctly respond to a five-character random string encrypted with a hardcoded public key.

This feature appears designed to prevent unauthorized actors from hijacking compromised systems, showing an evolution in tradecraft compared to earlier variants.

The campaign remained active from mid-2023 through at least mid-2024, with telemetry indicating less than 0.01% of analyzed netflow corresponding to potential compromises across 36 unique IP addresses globally.

While sharing some technical indicators with the previously known SeaSpy2 malware family, researchers maintain low confidence in direct attribution due to limited technical overlap.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Microsoft Sysinternals 0-Day Vulnerability Enables DLL Injection Attacks on Windows

A critical zero-day vulnerability has been discovered in Microsoft Sysinternals tools, posing a serious security threat...

7-Zip 0-Day Flaw Added to CISA’s List of Actively Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical 0-day vulnerability...

Logsign Vulnerability Allows Remote Attackers to Bypass Authentication

A critical security vulnerability has been identified and disclosed in the Logsign Unified SecOps...