Pierluigi Paganini January 24, 2025

Threat actors are targeting Juniper routers with a custom backdoor in a campaign called code-named “J-magic,” attackers are exploiting a Magic Packet flaw.

Lumen Technologies researchers reported that the J-magic campaign targets Juniper routers with a custom backdoor using a passive agent based on the cd00r variant (an open-source backdoor by fx). It activates upon detecting a “magic packet” with predefined parameters, enabling attackers to establish a reverse shell, control devices, steal data, or deploy malware. Earliest evidence dates to September 2023, but the experts have yet to determine the initial access method.

The J-magic campaign is notable for targeting JunoOS, a FreeBSD-based operating system that threat actors rarely target in malware attacks.

Lumen’s telemetry shows that roughly 50% of the targeted enterprise devices are configured as a virtual private network (VPN) gateway. An attacker can compromise these systems to gain remote access to the organizations. 

Upon installation, the agent executed via a command line argument specifying an interface and listening port. It initiated a pcap listener using an eBPF extension on that interface. When a magic packet was detected, the agent spawned a reverse shell to the IP address and port specified by the packet. The reverse shell issued a challenge by sending an encrypted string using a hard-coded certificate. If the remote user returned the correct string, they were granted a command shell; otherwise, the connection was closed. Although magic packet malware is rare, the targeting of Junos OS routers as VPN gateways and the use of a passive, in-memory-only agent highlights a sophisticated tradecraft deserving of further scrutiny.

Lumen experts also mentioned another variant of cd00r, codenamed SEASPY, that was used in a campaign targeting Barracuda Email Security Gateway (ESG) appliances that dates back in 2022.

However, there is no evidence that the two campaigns are linked.

“Elements of this activity cluster share some technical indicators with a subset of prior reporting on a malware family named SeaSpy2, however we do not have enough data points to link these two campaigns with high confidence. SeaSpy was a backdoor that targeted another FreeBSD-based system, the Barracuda mail server, with a variant of cd00r. While some cd00r functions share the same non-standard names, this latest sample contains an embedded certificate that presents a “challenge” which was not present in previous examples found in VirusTotal, indicating an evolution in operational security and tradecraft.” concludes the report. “Though there have been numerous public reports of advanced actors targeting networking equipment, Black Lotus Labs tracks the J-magic campaign as unaffiliated with other more prominent clusters recently appearing in the public eye.”  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)