Backdoor

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed “J-magic” has been discovered targeting enterprise-grade Juniper routers with a backdoor attack that leverages a passive monitoring agent.

The operation, first detected in September 2023, employs a variant of the cd00r backdoor that continuously scans for specific “magic packets” in TCP traffic.

Technical Implementation

The malware, masquerading as “JunoscriptService,” operates by establishing an eBPF filter on specified interfaces and ports.

Upon installation, it renames itself “[nfsiod 0]” to blend in with legitimate NFS processes.

The backdoor monitors incoming TCP traffic for five distinct predefined parameters, and when triggered by a matching “magic packet,” it initiates a secondary challenge before establishing a reverse shell.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The campaign has primarily focused on organizations using Juniper routers as VPN gateways, with approximately 50% of targeted devices serving this function.

The attackers strategically targeted semiconductor, energy, manufacturing, and IT sectors, with victims spread across multiple countries.

The operation demonstrated particular interest in devices that could serve as network crossroads, potentially enabling deeper access into corporate networks.

According to the Lumen report, what sets J-magic apart is its sophisticated operational security measures.

The malware implements a unique RSA challenge mechanism, requiring attackers to correctly respond to a five-character random string encrypted with a hardcoded public key.

This feature appears designed to prevent unauthorized actors from hijacking compromised systems, showing an evolution in tradecraft compared to earlier variants.

The campaign remained active from mid-2023 through at least mid-2024, with telemetry indicating less than 0.01% of analyzed netflow corresponding to potential compromises across 36 unique IP addresses globally.

While sharing some technical indicators with the previously known SeaSpy2 malware family, researchers maintain low confidence in direct attribution due to limited technical overlap.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick to…

1 day ago

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using compromised…

1 day ago

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign targeting…

1 day ago

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global companies,…

1 day ago

REF7707 Hackers Target Windows & Linux Systems with FINALDRAFT Malware

Elastic Security Labs has uncovered a sophisticated cyber-espionage campaign, tracked as REF7707, targeting entities across…

1 day ago

NVIDIA Container Toolkit Vulnerable to Code Execution Attacks

NVIDIA has issued a critical security update to address a high-severity vulnerability discovered in the…

1 day ago