Malware targets enterprise-grade Juniper routers

0
15


Researchers from Black Lotus Labs have identified a targeted malware campaign that exploits enterprise-grade Juniper routers.

Dubbed “J-Magic,” the campaign utilises a “magic packet” to trigger a backdoor on FreeBSD-based Junos OS routers—enabling attackers to covertly gain control over devices, exfiltrate data, or deploy additional malicious software.

The campaign has drawn particular attention due to its focus on high-value Juniper networking hardware, which typically serves as critical infrastructure within organisations. Enterprise-grade routers are attractive targets for attackers as these typically lack robust host-based monitoring tools, experience minimal power cycling, and house malware in-memory.

According to Black Lotus Labs, the attack has been active since mid-2023 and has targeted various industries, including semiconductors, energy, IT, and manufacturing. Juniper routers functioning as Virtual Private Network (VPN) gateways were particularly affected, representing a critical point of entry into organisational networks.

The magic of J-Magic

At the heart of the campaign lies a variant of the legacy malware cd00r, an open-source project that first appeared in 2000. While cd00r was initially designed to experiment with “invisible” backdoors, cybercriminals have adapted it into a highly sophisticated tool in J-Magic. The malware is notable for its ability to remain passive until specific predefined conditions are met in incoming TCP traffic. 

Black Lotus Labs summarised the mechanics of J-Magic as follows:

  • Magic packet detection: The malware installs a passive agent on the router to monitor all inbound TCP traffic using packet capture (pcap) functionality via extended Berkeley Packet Filters (eBPF).
  • Activate conditional triggers: Specific criteria, referred to as “magic packets,” are embedded into TCP payloads. These packets contain a set of predefined parameters, any of which can activate the malware.
  • Challenge-response mechanism: Once activated, the malware sends a challenge encrypted using a hardcoded RSA public key. The attacker must respond correctly to gain a command shell.
  • Reverse shell access: Upon successful authentication, the attacker is granted control over the infected device, allowing them to download data, issue commands or pivot deeper into the corporate network.

The malware also disguises itself as a legitimate process named `[nfsiod 0]`, which mimics the appearance of Junos OS processes to avoid detection by administrators.

The J-Magic malware detects carefully crafted conditions in TCP packets. Key parameters include specific byte sequences in TCP headers, source and destination IPs and ports, and certain patterns in the payload data. If any of five predefined conditions is met, the malware executes a reverse shell, sending the challenge to the attacker’s IP address.

While J-Magic shares similarities with an earlier malware campaign called SeaSpy, which also targeted FreeBSD-based systems using cd00r variants, the Black Lotus team remains cautious about linking the two.

“Though aspects of J-Magic’s tradecraft resemble SeaSpy, including shared function names and reliance on magic packets, there were distinct features such as the embedded RSA certificate challenge not seen in SeaSpy samples,” the researchers explained.

The campaign also underscores a growing trend within the threat actor community to leverage passive, memory-resident malware that evades traditional detection methods—a tactic made prominent by backdoors like BPFdoor and Symbiote.

Juniper routers present rich targets

The researchers traced instances of J-Magic malware infections across 36 unique IP addresses globally. Almost half of the infected devices were confirmed to be serving as VPN gateways for affected organisations, facilitating remote access and potential credential theft.

Victim organisations spanned a range of sectors and regions. Highlights include:

  • UK-based construction and IT firms targeted between June and August 2024.
  • A Norwegian bioengineering company receiving repeated magic packets throughout mid-to-late 2024.
  • Attackers even targeted organisations in the energy field, including a solar panel manufacturer.

Another subset of the infected devices had NETCONF ports exposed, often used for automated device management. Such routers typically serve larger fleets within telecoms or Internet Service Providers (ISPs), underlining the attackers’ intent to compromise centralised infrastructure.

Interestingly, researchers found a geographical split in attack tactics: European devices were primarily hit as VPN gateways, while South American routers – often managed remotely – appeared to be in reconnaissance phases.

The J-Magic campaign exemplifies the increased focus and success of attackers targeting enterprise-grade routers, straying beyond traditional targets like consumer or small office/home office (SOHO) equipment. Juniper routers, with their niche yet critical roles in enterprise networking environments, present rich targets for malicious actors looking to infiltrate high-stakes organisations.

Aided by advanced tactics like passive eBPF-based sniffing and modular cd00r variants, such campaigns pose significant challenges for defenders. “As malware evolves to exploit memory-resident and passive features, detection becomes significantly harder,” Black Lotus Labs noted.

To mitigate risks, organisations using Juniper routers or similar devices should implement stringent access controls, ensure frequent updates of device operating systems, and leverage intrusion detection systems (IDS) that can recognise anomalous patterns in packet structures and network flows.

As network infrastructures become increasingly complex, attacks like J-Magic will likely become more prevalent. The tradecraft showcased in this campaign demonstrates actors’ growing expertise in fooling conventional defences while targeting critical digital touchpoints in enterprises.

(Image by Adrian Malec)

See also: Critical infrastructure in crosshairs as ransomware attacks soar

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: black lotus labs, connectivity, cyber security, cybersecurity, Enterprise, hacking, hardware, infosec, juniper, malware, Networks, routers


👇Follow more 👇
👉 bdphone.com
👉 ultractivation.com
👉 trainingreferral.com
👉 shaplafood.com
👉 bangladeshi.help
👉 www.forexdhaka.com
👉 uncommunication.com
👉 ultra-sim.com
👉 forexdhaka.com
👉 ultrafxfund.com
👉 bdphoneonline.com
👉 dailyadvice.us

LEAVE A REPLY

Please enter your comment!
Please enter your name here