The J-Magic Show: Magic Packets and Where to find them

Description

Black Lotus Labs has been tracking a backdoor attack targeting enterprise-grade Juniper routers. Dubbed J-magic, this campaign uses a passive agent that monitors for 'magic packets' in TCP traffic. Once activated, it establishes a reverse shell for device control and data theft. The campaign, active from mid-2023 to mid-2024, targeted semiconductors, energy, manufacturing, and IT sectors. The malware, a variant of cd00r, presents detection challenges and exploits routers' long uptime. Approximately 50% of targeted devices were configured as VPN gateways, potentially allowing access to organizations' networks. The campaign's use of open-source malware and specific targeting of JunoOS-based systems makes it a noteworthy threat to enterprise networks.