A stealthy attack campaign turned Juniper enterprise-grade routers into entry points to corporate networks via the “J-magic” backdoor, which is loaded into the devices’ memory and spawns a reverse shell when instructed to do so.
“Our telemetry indicates the J-magic campaign was active from mid-2023 until at least mid-2024; in that time, we observed targets in the semiconductor, energy, manufacturing, and IT verticals among others,” Lumen’s Black Lotus Labs team researchers shared.
The J-magic malware
The researchers found a sample of J-magic after it was uploaded to VirusTotal in September 2023 and set out to analyze it.
“Once the file is uploaded on to the infected router, it expects an interface and port to be provided from the command line when executed. If these are supplied, the malware will rename itself as “[nfsiod 0]” to masquerade as the local NFS asynchronous I/O server, then hide its tracks by overwriting the previous command line arguments,” the researchers found.
Then, it starts a packet capture (PCAP) listener through an eBPF extension and waits for the attacker to send a “magic packet” that will spur it to create the reverse shell to the specified IP address and port, thus opening a backdoor accessible from the attacker’s server.
The triggering packet meets five specific “conditions” set out by the malware developer, but the reverse shell will only be created if the attacker can correctly answer a challenge. The challenge is a five-character random alphanumeric string encrypted using a hardcoded public RSA key. The correct response is the decrypted string.
If the two numbers don’t match, the connection is closed. If they do, the remote shell is created and is ready to accept commands.
“We suspect that the developer has added this RSA challenge to prevent other threat actors from spraying the internet with magic packets to enumerate victims and then simply repurposing the J-Magic agents for their own purposes, as other nation-state actors are known for exhibiting that parasitic tradecraft such as Turla,” the researchers posited.
“Magic packet” malware on the rise
The malicious agent, they discovered, is a custom variant of cd00r, which is an old open-source project that sought to create a proof-of-concept stealthy backdoor.
Cd00r was used through the years by various attackers to create variants, most notably the SEASPY backdoor used to compromise Barracuda Networks’ Email Security Gateway (ESG) appliances in May 2023.
Those attackers exploited a zero-day vulnerability to drop that and other malware but, unfortunately, Lumen researchers haven’t been able to discover how the attackers gained initial access to targeted Junos OS-powered Juniper devices to drop J-magic.
“We believe enterprise grade routers present an attractive target as they do not normally have many, if any, host-based monitoring tools in place,” the researchers noted.
“Typically, these devices are rarely power-cycled; malware tailored for routers is designed to take advantage of long uptime and live exclusively in-memory, allowing for low-detection and long-term access compared to malware that burrows into the firmware. Routers on the edge of the corporate network or serving as the VPN gateway, as many did in this campaign, are the richest targets. This placement represents a crossroads, opening avenues to the rest of a corporate network.”
Lumen’s researchers have been unable to conclusively link the SEASPY and the J-magic malware to the same attackers (or others).
“We find it noteworthy that the Magic Packet malware is becoming an increasing trend in use against perimeter devices, first with BPFdoor, and Symbiote. We suspect this will only increase, as greater difficulty in detection creates more trouble for defenders and what reporting exists is solely the result of greater awareness surrounding this technique,” they concluded.
