Juniper Networks’ enterprise-class routers have been targeted by a custom backdoor in a campaign called J-magic.
According to the Black Lotus Labs team at Lumen Technologies, this activity got its name because the backdoor continuously tracks the “magic packet” sent by the threat in TCP traffic.
“J-magic is reporting a rare case of malware specifically designed for JunoOS, which serves a similar market but relies on a different operating system, a variant of FreeBSD,” the company said in a statement. said in a report shared with The Hacker News.
Data collected by the company shows that the earliest sample of the backdoor is dated to September 2023, and activity continued from mid-2023 to mid-2024. The semiconductor, energy, manufacturing and information technology (IT) sectors were the most targeted.
Infections have been reported in Europe, Asia and South America, including Argentina, Armenia, Brazil, Chile, Colombia, Indonesia, the Netherlands, Norway, Peru, Great Britain, the United States and Venezuela.
The company is notable for deploying the agent after gaining initial access in an as-yet unspecified way. Agent, a variant of a public backdoor called cd00rwaits for five different predefined parameters before starting its operations.
After receiving these magic packets, the agent is configured to send a secondary call, after which J-magic creates a reverse envelope for the IP address and port specified in the magic packet. This allows attackers to control the device, steal data, or deploy additional payloads.
Lumen speculated that enabling the challenge was an attempt by the adversary to prevent other threat actors from indiscriminately releasing magic packets and repurposing J-magic agents to achieve their own goals.
It should be noted that another variant is codenamed cd00r MARITIMEwas deployed in connection with a campaign targeting Barracuda Email Security Gateway (ESG) devices in late 2022.
However, at this stage there is no evidence of a connection between the two companies, nor does J-magic show any signs that it intersects with other companies targeting enterprise routers such as Jaguar’s tooth and BlackTech (aka Canary Typhoon).
Most of the potentially affected IP addresses are said to be Juniper routers acting as VPN gateways, with a second smaller cluster consisting of those with open NETCONF port. It is believed that network configuration tools may have been targeted for their ability to automate router configuration information and management.
As routers abuse nation-state actors preparing for the next attacks, the latest findings highlight the continued focus on regional infrastructurewhich is mainly due to the long uptime and lack of endpoint protection and response (EDR) in such devices.
“One of the most notable aspects of the company is the focus on Juniper routers,” Lumen said. “While we’ve seen serious attacks against other network equipment, this campaign demonstrates that attackers can succeed by expanding to other types of devices, such as enterprise-grade routers.”
