Threat Research

The J-Magic Show: Magic Packets and Where to Find Them

Securonix
The J-Magic Show: Magic Packets and Where to Find Them

The J-magic campaign, tracked by Black Lotus Labs at Lumen Technologies, employs a backdoor tailored for enterprise-grade Juniper routers, utilizing a passive agent to monitor for a “magic packet” sent by attackers. Once activated, it establishes remote access for data theft or malware deployment. This campaign highlights vulnerabilities in enterprise routers, particularly those configured as VPN gateways. Affected: Juniper routers, enterprise networks, semiconductor sector, energy sector, manufacturing sector, IT sector.

Keypoints :

  • The J-magic campaign targets enterprise-grade Juniper routers using a custom backdoor.
  • Once the malware is installed, it listens for specific TCP traffic “magic packets.”
  • Upon detecting a magic packet, it spawns a reverse shell for remote access.
  • The malware exploits the long uptime of routers to avoid detection.
  • Targets include organizations in the semiconductor, energy, manufacturing, and IT sectors.
  • It employs a variant of the open-source malware cd00r, and contains evolved operational security traits.
  • There is some technical overlap with the SeaSpy malware family, but no definitive link.
  • This campaign suggests an increasing trend of attacking networking equipment.
  • Telemetry indicated the campaign was active from mid-2023 to at least mid-2024.
  • Recommendations for detection include reviewing network logs and assessing IoCs provided in the report.

MITRE Techniques :

  • T1059.001 – Command and Scripting Interpreter: Powershell
    – The malware executes commands through a reverse shell once established.
  • T1071.001 – Application Layer Protocol: Web Protocols
    – Uses TCP traffic to communicate and check for magic packets.
  • T1046 – Network Service Discovery
    – Listens for specific network conditions to activate the malware.
  • T1069 – Permission Groups Discovery
    – Targets VPN gateways typically lacking host-based monitoring.
  • T1077 – Windows Admin Shares
    – Establishes a command shell upon successful challenge response from the attacker.

Indicator of Compromise :

  • [IP Address] 198.46.158[.]172
  • [Magic Packet Condition] TCP Destination Port 443
  • [Magic Packet Condition] Source Port “36429”
  • [Magic Packet Condition] Payload starts with “Z4vE”
  • [Certificate Fingerprint] (Referenced in GitHub page)

Full Story: https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint