The "Magic" Backdoor: A New Type of Malware Discovered in Junos OS Routers
When threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work can’t be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives what’s known in the business as a “magic packet.”
J-Magic: A Stealthy Backdoor
Researchers at Lumin Technology’s Black Lotus Lab have discovered a never-before-seen backdoor, which they have tracked as J-Magic, that quietly took hold of dozens of enterprise VPNs running Juniper Network’s Junos OS. J-Magic is a lightweight backdoor that resides only in memory, making detection harder for defenders.
How J-Magic Works
The backdoor is deployed to quietly observe all TCP traffic sent to the device, analyzing incoming packets for one of five specific sets of data. These conditions are obscure enough to blend in with normal traffic, but unusual enough to be unlikely to be found in normal traffic.
The "Magic Packet"
Once the backdoor receives a magic packet hidden in the normal flow of TCP traffic, it relays a challenge to the device that sent it. The challenge is a string of text encrypted using the public portion of an RSA key. The initiating party must then respond with the corresponding plaintext, proving it has access to the secret key.
Detection Challenges
The combination of J-Magic’s stealthy behavior and its ability to reside only in memory makes it challenging for defenders to detect. The researchers at Black Lotus Lab noted that while this is not the first discovery of magic packet malware, the confluence of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory only agent makes it an interesting and noteworthy case.
Conclusion
J-Magic is a sophisticated backdoor that demonstrates the continued evolution of threat actor tactics and techniques. Its ability to blend in with normal traffic and reside only in memory makes it a challenging target for detection. As the cybersecurity landscape continues to evolve, it is essential for defenders to stay vigilant and adapt to new threats like J-Magic.
FAQs
Q: What is J-Magic?
A: J-Magic is a never-before-seen backdoor that was discovered by researchers at Lumin Technology’s Black Lotus Lab, which targets Junos OS routers and resides only in memory.
Q: How does J-Magic work?
A: J-Magic is deployed to quietly observe all TCP traffic sent to the device, analyzing incoming packets for one of five specific sets of data. It then relays a challenge to the device that sent it, which must respond with the corresponding plaintext, proving it has access to the secret key.
Q: How many organizations were affected by J-Magic?
A: The researchers at Black Lotus Lab found J-Magic in the networks of 36 organizations.
Q: How was J-Magic deployed?
A: The researchers are still unsure how J-Magic was deployed, as they did not find any evidence of initial infection.
