A sophisticated cyber campaign dubbed “J-magic” has been discovered targeting enterprise-grade Juniper routers with a backdoor attack that leverages a passive monitoring agent.
The operation, first detected in September 2023, employs a variant of the cd00r backdoor that continuously scans for specific “magic packets” in TCP traffic.
The malware, masquerading as “JunoscriptService,” operates by establishing an eBPF filter on specified interfaces and ports.
Upon installation, it renames itself “[nfsiod 0]” to blend in with legitimate NFS processes.
The backdoor monitors incoming TCP traffic for five distinct predefined parameters, and when triggered by a matching “magic packet,” it initiates a secondary challenge before establishing a reverse shell.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The campaign has primarily focused on organizations using Juniper routers as VPN gateways, with approximately 50% of targeted devices serving this function.
The attackers strategically targeted semiconductor, energy, manufacturing, and IT sectors, with victims spread across multiple countries.
The operation demonstrated particular interest in devices that could serve as network crossroads, potentially enabling deeper access into corporate networks.
According to the Lumen report, what sets J-magic apart is its sophisticated operational security measures.
The malware implements a unique RSA challenge mechanism, requiring attackers to correctly respond to a five-character random string encrypted with a hardcoded public key.
This feature appears designed to prevent unauthorized actors from hijacking compromised systems, showing an evolution in tradecraft compared to earlier variants.
The campaign remained active from mid-2023 through at least mid-2024, with telemetry indicating less than 0.01% of analyzed netflow corresponding to potential compromises across 36 unique IP addresses globally.
While sharing some technical indicators with the previously known SeaSpy2 malware family, researchers maintain low confidence in direct attribution due to limited technical overlap.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a colleague…
A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a grave…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS) advisories…
In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA pages…
In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to a…
The New York State Department of Financial Services (NYDFS) has imposed a $2 million penalty…