The J-magic campaign targets Juniper Networks routers with a custom backdoor, designed to exploit vulnerabilities in Junos OS, a variant of FreeBSD. This malware monitors for a “magic packet” in TCP traffic sent by the threat actor, enabling them to take control of the affected device. The backdoor is based on a variant of the cd00r backdoor, a publicly available tool that has been modified for this specific campaign. The attack primarily affects enterprise-grade routers, particularly VPN gateways, with infections observed in sectors like semiconductor, energy, manufacturing, and IT across multiple regions including Europe, Asia, and South America.
Lumen Technologies, who tracked the campaign, explained that the malware waits for five predefined conditions before executing, ensuring it only responds to legitimate threat actors.
Once the “magic packet” is received, the agent sends back a secondary challenge and establishes a reverse shell connection to the attacker’s IP address. This allows the attacker to control the infected router, steal sensitive data, or deploy additional malicious payloads. The addition of the challenge response mechanism seems intended to prevent other malicious actors from hijacking the backdoor for their own use.
The campaign’s targeting of Juniper routers is notable for its focus on devices with long uptimes and little endpoint detection response (EDR) protection, which makes them appealing to threat actors. Lumen hypothesizes that the attackers specifically targeted these routers due to their central role in enterprise networks, particularly as VPN gateways. The vulnerability in NETCONF ports, which automate router configuration and management, also appears to be a potential avenue for exploitation, contributing to the attack’s effectiveness.
While the J-magic campaign is distinct from other campaigns targeting networking devices, such as Jaguar Tooth and BlackTech, it reflects a growing trend of nation-state actors abusing routers and other edge infrastructure for follow-up attacks. The findings emphasize the need for better detection and defense mechanisms for critical network infrastructure, which is often under protected compared to other endpoints in the enterprise environment. This campaign underscores the critical importance of securing enterprise-grade routers and preventing their exploitation by advanced persistent threats.
Reference: