Enterprise-grade Juniper Networks routers have become the target of a custom backdoor as part of a campaign dubbed J-magic.
According to the Black Lotus Labs team at Lumen Technologies, the activity is so named for the fact that the backdoor continuously monitors for a “magic packet” sent by the threat actor in TCP traffic.
“J-magic campaign marks the rare occasion of malware designed specifically for Junos OS, which serves a similar market but relies on a different operating system, a variant of FreeBSD,” the company said in a report shared with The Hacker News.
Evidence gathered by the company shows that the earliest sample of the backdoor dates back to September 2023, with the activity ongoing between mid-2023 and mid-2024. Semiconductor, energy, manufacturing, and information technology (IT) sectors were the most targeted.
Infections have been reported across Europe, Asia, and South America, including Argentine, Armenia, Brazil, Chile, Colombia, Indonesia, the Netherlands, Norway, Peru, the U.K., the U.S., and Venezuela.
The campaign is notable for deploying an agent after gaining initial access through an as-yet-undetermined method. The agent, a variant of a nearly 25-year-old, publicly available backdoor referred to as cd00r, waits for five different pre-defined parameters before commencing its operations.
On the receipt of these magic packets, the agent is configured to send back a secondary challenge, following which J-magic establishes a reverse shell to the IP address and port specified in the magic packet. This enables the attackers to control the device, steal data, or deploy additional payloads.
Lumen theorized that the inclusion of the challenge is an attempt on part of the adversary to prevent other threat actors from issuing magic packets in an indiscriminate manner and repurpose the J-magic agents to meet their own objectives.
It’s worth noting that another variant of cd00r, codenamed SEASPY, was deployed in connection with a campaign aimed at Barracuda Email Security Gateway (ESG) appliances in late 2022.
That said, there is no evidence at this stage to connect the two campaigns, nor does the J-magic campaign demonstrate any signs that it overlaps with other campaigns targeting enterprise-grade routers such as Jaguar Tooth and BlackTech (aka Canary Typhoon).
A majority of the potentially impacted IP addresses are said to be Juniper routers acting as VPN gateways, with a second smaller cluster comprising those with an exposed NETCONF port. It’s believed that the network configuration devices may have been targeted for their ability to automate router configuration information and management.
The exact end goals of the campaign are currently unknown, but the Black Lotus Labs team told The Hacker News that it saw “some interesting targeting” that aligned with the strategic goals for a certain country known for intellectual property theft, specifically aimed at the microprocessor manufacturing and shipbuilding verticals.
With routers being abused by nation-state actors preparing for follow-on attacks, the latest findings underscore the continued targeting of edge infrastructure, largely driven by the long uptime and a lack of endpoint detection and response (EDR) protections in such devices.
“One of the most notable aspects of the campaign is the focus on Juniper routers,” Lumen said. “While we have seen heavy targeting of other networking equipment, this campaign demonstrates that attackers can find success expanding to other device types such as enterprise grade routers.”
