Black Lotus Labs recently uncovered the new J-Magic Backdoor, a malicious tool actively targeting corporate VPNs running on Juniper Networks Junos OS. This sophisticated malware operates covertly, waiting for a special signal known as a Magic Packet to trigger its malicious activities.
The J-Magic Backdoor works by examining incoming network traffic, analyzing data packets based on five specific conditions that are designed to blend in with normal network activity to evade detection by security systems.
Once one of these conditions is met, the backdoor is activated, sending an encrypted request to the attacker. Only the attacker possessing a secret RSA key can provide the necessary response, preventing unauthorized individuals from exploiting the vulnerability.
Derived from the CD00R demo prototype introduced in 2000, J-Magic incorporates passive monitoring, RSA authentication, and RAM storage, making it incredibly difficult to detect. It operates solely in device memory, avoiding installation on disk systems, further complicating detection efforts.
Notably, the malware utilizes SSL to establish a reverse connection with the attacker’s IP address, making it even more challenging to monitor and analyze network traffic. J-Magic was found in the systems of 36 organizations across various sectors, including semiconductor production, energy, IT, and industrial manufacturing, during a campaign spanning mid-2023 to mid-2024.
It remains unclear how J-Magic was deployed on the targeted devices, with potential avenues including exploiting vulnerabilities in network equipment or leveraging phishing attacks for network infiltration. Activation of the backdoor occurs following the receipt of a specific “magic packet” containing particular data that aligns with the predefined conditions set by the malware.
For instance, these conditions may include certain byte values in designated areas of TCP headers, specific port numbers, unique byte sequences, and specific IP address and port combinations within the attacking packet structure. When any of these conditions are met, J-Magic initiates a reverse connection and encrypts data exchanges using an RSA key.