Full Report
Researchers at Black Lotus Labs have uncovered an operation where a back door is dropped onto enterprise-grade Juniper Networks routers and listens for specific network signals, known as “magic packets,” to execute malicious commands. The campaign, which researchers at the cybersecurity wing of Lumen Technologies refer to as “J-Magic,” was active between mid-2023 and mid-2024. […] The post New backdoor discovered that specifically targets Juniper routers appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: J-Magic Backdoor (cd00r variant)
## Overview
J-Magic is a custom backdoor discovered targeting Juniper Networks enterprise routers running JunoOS (a FreeBSD-based operating system). Its purpose is to establish persistent, stealthy remote access by lying dormant until activated by specific network signals ("magic packets"), enabling operators to execute remote commands, steal data, or deploy further malware.
## Technical Details
- Type: Malware (Backdoor)
- Platform: Juniper Networks Routers (running JunoOS/FreeBSD-based systems)
- Capabilities: Listens for magic packets, establishes reverse shell upon activation, designed for in-memory persistence.
- First Seen: Active between mid-2023 and mid-2024.
## MITRE ATT&CK Mapping
*Note: Specific technique mappings are inferred based on observed behavior (remote execution via trigger, persistence on infrastructure devices).*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Inferred, as reverse shells often use common protocols)
- **TA0003 - Persistence**
- T1543.003 - Windows Service (Inferred similarity to persistence on infrastructure components)
- **TA0001 - Initial Access** (Implied entry vector into the router, though not detailed)
## Functionality
### Core Capabilities
- **Triggered Activation:** The malware remains dormant, scanning for five different predefined parameters or "magic packets" on the network.
- **Reverse Shell Establishment:** Once a correct trigger is received and confirmed, it establishes a reverse shell on the local file system, granting command-and-control access.
- **In-Memory Operation:** Designed to operate almost exclusively in memory, leveraging the long uptime characteristics of routers to achieve low detection and long-term access.
### Advanced Features
- **Targeted Infrastructure:** Specifically targets network infrastructure devices (routers), which are typically monitored less stringently than endpoints.
- **VPN Gateway Focus:** Many targeted devices functioned as VPN gateways, providing attackers a critical foothold at the network edge.
- **Custom Variant:** Uses a custom variant of the open-source 'cd00r' backdoor.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: [Not provided in the source text, but likely resides in the OS/memory space]
- Registry Keys: [Not applicable to FreeBSD/JunoOS]
- Network Indicators: Listens for specific, predefined "magic packets." Confirmation requests sent upon receiving a trigger. (No specific C2 IPs/domains provided).
- Behavioral Indicators: Long runtime without power cycling; execution aimed at avoiding storage persistence (living in-memory).
## Associated Threat Actors
- Unknown. Black Lotus Labs (Lumen Technologies) identified the campaign but did not attribute it to a specific threat group, though they confirmed it is an independent campaign separate from SeaSpy activity.
## Detection Methods
- Signature-based detection: Not explicitly mentioned, but signature creation would focus on the custom cd00r variant or packet signatures.
- Behavioral detection: Monitoring for unusual network signals being received by the router OS or the unexpected initiation of a reverse shell process from core networking software.
- YARA rules: [Not provided in the source text]
## Mitigation Strategies
- Regular comprehensive security monitoring of network infrastructure devices like routers, which are often overlooked.
- Employing security tools/host-based firewalls on routers, if supported, to monitor for unexpected process execution or network listeners.
- Reducing router uptime if possible, though this conflicts with operational needs. (Malware is designed to exploit long uptime).
## Related Tools/Techniques
- **SeaSpy:** A previously reported backdoor (also a cd00r variant) that targeted Barracuda Networks Email Security Gateways (another FreeBSD-based system). J-Magic shares technical similarities but is considered independent.
- **cd00r:** The open-source backdoor upon which the J-Magic malware is based.