A classy cyber marketing campaign dubbed “J-magic” has been found focusing on enterprise-grade Juniper routers with a backdoor assault that leverages a passive monitoring agent.
The operation, first detected in September 2023, employs a variant of the cd00r backdoor that repeatedly scans for particular “magic packets” in TCP visitors.
Technical Implementation
The malware, masquerading as “JunoscriptService,” operates by establishing an eBPF filter on specified interfaces and ports.
Upon set up, it renames itself “[nfsiod 0]” to mix in with reliable NFS processes.
The backdoor screens incoming TCP visitors for 5 distinct predefined parameters, and when triggered by an identical “magic packet,” it initiates a secondary problem earlier than establishing a reverse shell.
Examine Actual-World Malicious Hyperlinks & Phishing Assaults With Menace Intelligence Lookup - Attempt for Free
The marketing campaign has primarily centered on organizations utilizing Juniper routers as VPN gateways, with roughly 50% of focused units serving this operate.
The attackers strategically focused semiconductor, vitality, manufacturing, and IT sectors, with victims unfold throughout a number of nations.
The operation demonstrated explicit curiosity in units that might function community crossroads, doubtlessly enabling deeper entry into company networks.
In line with the Lumen report, what units J-magic aside is its refined operational safety measures.
The malware implements a novel RSA problem mechanism, requiring attackers to accurately reply to a five-character random string encrypted with a hardcoded public key.
This characteristic seems designed to forestall unauthorized actors from hijacking compromised programs, displaying an evolution in tradecraft in comparison with earlier variants.
The marketing campaign remained lively from mid-2023 by means of not less than mid-2024, with telemetry indicating lower than 0.01% of analyzed netflow similar to potential compromises throughout 36 distinctive IP addresses globally.
Whereas sharing some technical indicators with the beforehand recognized SeaSpy2 malware household, researchers keep low confidence in direct attribution because of restricted technical overlap.
Integrating Software Safety into Your CI/CD Workflows Utilizing Jenkins & Jira -> Free Webinar