When menace actors use backdoor malware to achieve entry to a community, they wish to ensure all their exhausting work can’t be leveraged by competing teams or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that is still dormant till it receives what’s identified within the enterprise as a “magic packet.” On Thursday, researchers revealed {that a} never-before-seen backdoor that quietly took maintain of dozens of enterprise VPNs operating Juniper Community’s Junos OS has been doing simply that.
J-Magic, the monitoring identify for the backdoor, goes one step additional to forestall unauthorized entry. After receiving a magic packet hidden within the regular stream of TCP visitors, it relays a problem to the gadget that despatched it. The problem comes within the type of a string of textual content that’s encrypted utilizing the general public portion of an RSA key. The initiating celebration should then reply with the corresponding plaintext, proving it has entry to the key key.
Open sesame
The light-weight backdoor can also be notable as a result of it resided solely in reminiscence, a trait that makes detection tougher for defenders. The mixture prompted researchers at Lumin Expertise’s Black Lotus Lab to sit down up and take discover.
“Whereas this isn’t the primary discovery of magic packet malware, there have solely been a handful of campaigns lately,” the researchers wrote. “The mixture of focusing on Junos OS routers that function a VPN gateway and deploying a passive listening in-memory solely agent, makes this an attention-grabbing confluence of tradecraft worthy of additional statement.”
The researchers discovered J-Magic on VirusTotal and decided that it had run contained in the networks of 36 organizations. They nonetheless don’t know the way the backdoor bought put in. Right here’s how the magic packet labored:
The passive agent is deployed to quietly observe all TCP visitors despatched to the gadget. It discreetly analyzes the incoming packets and watches for one in all 5 particular units of knowledge contained in them. The situations are obscure sufficient to mix in with the conventional stream of visitors that community protection merchandise received’t detect a menace. On the identical time, they’re uncommon sufficient that they’re not prone to be present in regular visitors.
When menace actors use backdoor malware to achieve entry to a community, they wish to ensure all their exhausting work can’t be leveraged by competing teams or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that is still dormant till it receives what’s identified within the enterprise as a “magic packet.” On Thursday, researchers revealed {that a} never-before-seen backdoor that quietly took maintain of dozens of enterprise VPNs operating Juniper Community’s Junos OS has been doing simply that.
J-Magic, the monitoring identify for the backdoor, goes one step additional to forestall unauthorized entry. After receiving a magic packet hidden within the regular stream of TCP visitors, it relays a problem to the gadget that despatched it. The problem comes within the type of a string of textual content that’s encrypted utilizing the general public portion of an RSA key. The initiating celebration should then reply with the corresponding plaintext, proving it has entry to the key key.
Open sesame
The light-weight backdoor can also be notable as a result of it resided solely in reminiscence, a trait that makes detection tougher for defenders. The mixture prompted researchers at Lumin Expertise’s Black Lotus Lab to sit down up and take discover.
“Whereas this isn’t the primary discovery of magic packet malware, there have solely been a handful of campaigns lately,” the researchers wrote. “The mixture of focusing on Junos OS routers that function a VPN gateway and deploying a passive listening in-memory solely agent, makes this an attention-grabbing confluence of tradecraft worthy of additional statement.”
The researchers discovered J-Magic on VirusTotal and decided that it had run contained in the networks of 36 organizations. They nonetheless don’t know the way the backdoor bought put in. Right here’s how the magic packet labored:
The passive agent is deployed to quietly observe all TCP visitors despatched to the gadget. It discreetly analyzes the incoming packets and watches for one in all 5 particular units of knowledge contained in them. The situations are obscure sufficient to mix in with the conventional stream of visitors that community protection merchandise received’t detect a menace. On the identical time, they’re uncommon sufficient that they’re not prone to be present in regular visitors.
