Full Report
Executive Summary The Black Lotus Labs team at Lumen Technologies has been tracking the use of a backdoor attack tailored for use against enterprise-grade Juniper routers. This backdoor is opened by a passive agent that continuously monitors for a “magic […] The post The J-Magic Show: Magic Packets and Where to find them appeared first on Lumen Blog.
Analysis Summary
# Tool/Technique: J-magic (cd00r variant for Juniper Routers)
## Overview
J-magic refers to a specific backdoor attack campaign targeting enterprise-grade Juniper routers running JunoOS (a FreeBSD variant). The attack utilizes a passive, in-memory agent (a variant of the `cd00r` backdoor) that continuously monitors network traffic for a pre-defined "magic packet" sent by the attacker to establish remote control.
## Technical Details
- Type: Malware (Backdoor agent variant of cd00r)
- Platform: Juniper Routers running JunoOS (FreeBSD-based)
- Capabilities: Passive monitoring for magic packets, challenge/response authentication, establishing a reverse shell, in-memory operation for low detection.
- First Seen: Earliest sample uploaded to VirusTotal in September 2023. Campaign active from mid-2023 until at least mid-2024.
## MITRE ATT&CK Mapping
*Note: Mapping is based on post-exploitation and command and control behavior described.*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Systemd Service (If persistence is achieved beyond reboot via configuration or leveraging OS features, although the focus is in-memory)
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Inferred, as gaining control allows for credential theft)
## Functionality
### Core Capabilities
- **Passive Monitoring:** The agent executes via command line, spawns a `pcap` listener using an eBPF extension on a specified network interface, and listens for the attacker's "magic packet."
- **Remote Control Activation:** Upon receiving a magic packet matching one of five predefined parameters, the agent initiates a reverse shell connection back to the attacker's specified IP and port.
- **Challenge/Response:** The reverse shell connection requires the remote user to pass back a string encrypted via a hard-coded certificate. Successful authentication grants a command shell.
### Advanced Features
- **In-Memory Operation:** The malware is designed to live exclusively in memory, bypassing traditional firmware storage mechanisms, which aids in low detection and persistence across reboots (assuming the agent process is re-established or the router is rarely power-cycled).
- **Custom Authentication:** Features an embedded certificate mechanism to present a "challenge," indicating an evolution in operational security compared to older `cd00r` variants.
- **Target Specificity:** Specifically tailored for the JunoOS operating system, distinct from more commonly targeted Cisco IOS systems.
## Indicators of Compromise
- File Hashes: [Not provided in text]
- File Names: `JunoscriptService` (This mimics the Junos automation scripting service)
- Registry Keys: [Not applicable/provided for Unix-like systems]
- Network Indicators: Connections established via reverse shells to attacker-controlled IPs/ports upon magic packet reception (Specific IPs/domains defanged: [Not provided in text])
- Behavioral Indicators: Presence of a `pcap` listener using an eBPF extension on a network interface; process execution initiated with interface and port arguments; communication behaving like a reverse shell requiring certificate-based challenge-response.
## Associated Threat Actors
- Unaffiliated with other prominently reported clusters tracked by Black Lotus Labs at the time of reporting.
- *Note: Shares technical indicators with a subset of reporting on the SeaSpy2 malware family (which targeted Barracuda mail servers using a cd00r variant), but a high-confidence link cannot be established.*
## Detection Methods
- Signature-based detection: [Not specified for proprietary signatures]
- Behavioral detection: Monitoring for the execution of components using command line arguments specifying interfaces and ports, and looking for processes utilizing the eBPF framework for network sniffing.
- YARA rules: [Not explicitly provided, but hunt guides suggest searching for memory patterns related to BPF malware.]
## Mitigation Strategies
- Reviewing network logs for signs of data exfiltration and lateral movement originating from network devices.
- Checking for common persistence mechanisms, paying attention to potentially unexpected system process modifications.
- Apply recommended hunt guides focused on BPF based malware (e.g., Trusted Sec, SandFly Security, Elastic OSquery syntax).
- Reviewing detection blogs specifically detailing `cd00r` behavior.
## Related Tools/Techniques
- **cd00r:** The open-source backdoor upon which this sample is based (originally released on Packet Storm in 2000).
- **SeaSpy2:** A prior backdoor targeting Barracuda mail servers, also utilizing a `cd00r` variant.
- **Magic Packet Malware:** The technique of using specific network packets to trigger malware, observed in other campaigns (though contextually different).
- **Jaguar Tooth / Canary (BlackTech):** Other examples of malware targeting enterprise routing equipment.