J-magic backdoor attacked Juniper Networks devices using ‘magic packets’

📟 News

Date: 28/01/2025

A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that starts a reverse shell only after detecting a ‘magic packet’ in network traffic.

According to The Black Lotus Labs team at Lumen Technologies, J-magic attacks targeted organizations in the semiconductor, energy, manufacturing (marine, solar, and heavy equipment), and IT industries.

“There are scattered reports of malware designed for enterprise grade routers (such as Jaguar Tooth and more recently Canary/BlackTech’s unnamed router malware), and the vast majority of attacks have come against Cisco IOS systems given their share in the market. The J-magic campaign marks the rare occasion of malware designed specifically for JunoOS, which serves a similar market but relies on a different operating system, a variant of FreeBSD,”  – The Black Lotus Labs.

Based on available telemetry, the researchers concluded that some 50% of attacked devices were configured as VPN gateways; while the rest had an exposed NETCONF port.

Infected routers were recorded in Europe, Asia, and South America (including such countries as Argentina, Armenia, Brazil, Chile, Colombia, Indonesia, the Netherlands, Norway, Peru, the UK, the US, and Venezuela). The J-magic campaign continued from some mid-2023 to mid-2024, and experts believe that the attackers behind it were seeking long-term access.

J-magic is a custom version of the publicly available proof-of-concept cd00r backdoor that remains undetected and passively scans network traffic for specific activation packets; once activated, J-magic starts a reverse shell, thus, opening a communication channel to its operators.

Similar to the original cd00r, J-magic monitors TCP traffic for a ‘magic packet’ (i.e. packet with specific parameters sent by the attacker). For this purpose, the malware creates an eBPF filter on the interface and on the port that are specified as a command line argument.

The malware checks various fields and offsets for magic bytes indicating that an activation packet has come from a remote IP address. J-magic checks it for five predefined parameters, and if the packet passes one of these checks, the reverse shell starts.

However, to gain access to the compromised device, the sender must pass one more check. The remote IP address receives a random five-character alphanumeric string encrypted with a hardcoded public RSA key. If the response doesn’t match the original string, the connection closes. In other words, the initiator must prove that it has access to the private key.

“We suspect that the developer has added this RSA challenge to prevent other threat actors from spraying the internet with magic packets to enumerate victims and then simply repurposing the J-Magic agents for their own purposes,” – analysts explain.

According to The Black Lotus Labs, J-magic is similar to the SeaSpy malware that is also based on the cd00r backdoor. However, certain differences between them make it impossible to state that J-magic belongs to the SeaSpy family.

In the past, the SeaSpy backdoor was unleashed against the Barracuda Email Security Gateway (ESG) by Chinese hackers belonging to the UNC4841 threat actor: their attack exploited the CVE-2023-2868 vulnerability in the ESG.

Related posts:
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update

Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →