FacebookTwitterLinkedIn

Magic Packet Malware Targets Juniper VPN Gateways

Karolis Liucveikis Written by on

According to a recent report published by Lumen's Black Lotus Labs, researchers discovered an attack campaign using a carefully crafted backdoor to target enterprise-grade Juniper routers. Briefly, the attack begins with a passive agent that continuously monitors for a "magic packet" sent by the attacker in TCP traffic. Once the agent detects the "magic packet," the backdoor will be opened.

Magic Packet Malware Targets Juniper VPN Gateways

The campaign has been dubbed J-magic, with VirusTotal showing that the malware has been in development since 2023, as the first sample was uploaded in September 2023. At the time of writing, researchers have not determined the initial access vector; however, once in place, it installs the agent, which passively scans for five predefined parameters before activating.

The agent sends back a secondary challenge if any of these parameters or "magic packets" are received. Once the secondary challenge is complete, J-magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or drop other malicious payloads.

A "magic packet" is a specially crafted network packet used in the Wake-on-LAN (WoL) feature to wake a computer from a low-power state. This packet contains the target computer's MAC address repeated multiple times in a specific format. This allows the network interface card (NIC) to recognize it and trigger the particular machine's wake-up process.

Magic packets are used to enable remote management and maintenance of computers, especially in enterprise environments. That said, threat actors were quick to use magic packets to assist in the creation of backdoors into enterprise environments.

Black Lotus researchers believe enterprise-grade routers present an attractive target to threat actors. Researchers go on to say,

...[Enterprise grade routers] do not normally have many, if any, host-based monitoring tools in place. Typically, these devices are rarely power-cycled; malware tailored for routers is designed to take advantage of long uptime and live exclusively in-memory, allowing for low-detection and long-term access compared to malware that burrows into the firmware. Routers on the edge of the corporate network or serving as the VPN gateway, as many did in this campaign, are the richest targets. This placement represents a crossroads, opening avenues to the rest of a corporate network. Our telemetry indicates the J-magic campaign was active from mid-2023 until at least mid-2024; in that time, we observed targets in the semiconductor, energy, manufacturing, and IT verticals among others.

J-magic Attack

The discovery of J-magic attacks in the wild presented security researchers with a unique opportunity to dive deeper into a magic packet attack. Further, the J-magic campaign marks the rare occasion of malware explicitly designed for JunoOS, which serves a similar market but relies on a different operating system, a variant of FreeBSD. Black Lotus telemetry showed that roughly 50% of the targeted devices appear to be configured as virtual private network (VPN) gateways for their organizations.

As to what the threat actor could do with a compromised VPN gateway, researchers noted that a victim device could be used for remote access to both the Juniper router and the VPN gateway. This could, in turn, then be exploited for credential theft or to serve as a possible access vector into the organization.

As mentioned above, the initial access vector used in J-magic attacks remains to be determined. However, the threat actor has established the presence of a compromised router, and they favor the use of open-source malware.

A malware sample analyzed appeared to fit that trend as a custom variant of the cd00r passive agent used in other known magic packet attacks. Initially, an open-source project, cd00r, was designed to explore the idea of an "invisible" backdoor, or, at the very least, a backdoor that presents several detection challenges for systems admins and network engineers.

Once active, the threat actor was seen to complete the following actions that neatly summarize the attack chain:

  • The agent was executed via a command line argument, specifying an interface and listening port.
  • The agent started a pcap listener through an eBPF extension on that interface.
  • If a magic packet is detected, it spawns a reverse shell to the IP address and port specified by the magic packet.
  • The reverse shell then issues a "challenge" by sending a string encrypted via a hard-coded certificate. If the remote user passes that string back, it is given a command shell. If the string is not received, it closes the remote connection.

In conclusion, researchers pointed out that perhaps the most notable aspect of the attack campaign was its focus on targeting Juniper routers.

Researchers also believe magic packet attacks, like J-magic, are likely to increase in the near term, stating,

We suspect this will only increase, as greater difficulty in detection creates more trouble for defenders and what reporting exists is solely the result of greater awareness surrounding this technique. While there is some weak association with the actors behind the SeaSpy malware campaign, we do not have any overlap between this campaign and other families mentioned in industry reports, nor with those who have previously used BPF-based backdoors. While several newsworthy groups have lately been shown to be proficient in the use of passive agents and targeting networking equipment; we have not seen any tooling overlap, victimology trends, or operational infrastructure.


▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog