When menace actors use backdoor malware to achieve entry to a community, they wish to be certain that all their laborious work can’t be leveraged by competing teams or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that continues to be dormant till it receives what’s identified within the enterprise as a “magic packet.” On Thursday, researchers revealed {that a} never-before-seen backdoor that quietly took maintain of dozens of enterprise VPNs working Juniper Community’s Junos OS has been doing simply that.
J-Magic, the monitoring identify for the backdoor, goes one step additional to forestall unauthorized entry. After receiving a magic packet hidden within the regular movement of TCP visitors, it relays a problem to the system that despatched it. The problem comes within the type of a string of textual content that’s encrypted utilizing the general public portion of an RSA key. The initiating get together should then reply with the corresponding plaintext, proving it has entry to the key key.
Open sesame
The light-weight backdoor can be notable as a result of it resided solely in reminiscence, a trait that makes detection tougher for defenders. The mixture prompted researchers at Lumen Expertise’s Black Lotus Lab to sit down up and take discover.
“Whereas this isn’t the primary discovery of magic packet malware, there have solely been a handful of campaigns in recent times,” the researchers wrote. “The mixture of concentrating on Junos OS routers that function a VPN gateway and deploying a passive listening in-memory solely agent, makes this an attention-grabbing confluence of tradecraft worthy of additional statement.”
The researchers discovered J-Magic on VirusTotal and decided that it had run contained in the networks of 36 organizations. They nonetheless don’t understand how the backdoor bought put in. Right here’s how the magic packet labored:
The passive agent is deployed to quietly observe all TCP visitors despatched to the system. It discreetly analyzes the incoming packets and watches for one in every of 5 particular units of knowledge contained in them. The circumstances are obscure sufficient to mix in with the traditional movement of visitors that community protection merchandise gained’t detect a menace. On the similar time, they’re uncommon sufficient that they’re not prone to be present in regular visitors.
