When menace actors use backdoor malware to realize entry to a community, they need to make certain all their arduous work can’t be leveraged by competing teams or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that continues to be dormant till it receives what’s recognized within the enterprise as a “magic packet.” On Thursday, researchers revealed {that a} never-before-seen backdoor that quietly took maintain of dozens of enterprise VPNs operating Juniper Community’s Junos OS has been doing simply that.
J-Magic, the monitoring identify for the backdoor, goes one step additional to forestall unauthorized entry. After receiving a magic packet hidden within the regular stream of TCP site visitors, it relays a problem to the system that despatched it. The problem comes within the type of a string of textual content that’s encrypted utilizing the general public portion of an RSA key. The initiating occasion should then reply with the corresponding plaintext, proving it has entry to the key key.
Open sesame
The light-weight backdoor can be notable as a result of it resided solely in reminiscence, a trait that makes detection more durable for defenders. The mixture prompted researchers at Lumen Know-how’s Black Lotus Lab to sit down up and take discover.
“Whereas this isn’t the primary discovery of magic packet malware, there have solely been a handful of campaigns in recent times,” the researchers wrote. “The mixture of focusing on Junos OS routers that function a VPN gateway and deploying a passive listening in-memory solely agent, makes this an fascinating confluence of tradecraft worthy of additional statement.”
The researchers discovered J-Magic on VirusTotal and decided that it had run contained in the networks of 36 organizations. They nonetheless don’t know the way the backdoor bought put in. Right here’s how the magic packet labored:
The passive agent is deployed to quietly observe all TCP site visitors despatched to the system. It discreetly analyzes the incoming packets and watches for one in every of 5 particular units of information contained in them. The circumstances are obscure sufficient to mix in with the conventional stream of site visitors that community protection merchandise gained’t detect a menace. On the similar time, they’re uncommon sufficient that they’re not more likely to be present in regular site visitors.
When menace actors use backdoor malware to realize entry to a community, they need to make certain all their arduous work can’t be leveraged by competing teams or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that continues to be dormant till it receives what’s recognized within the enterprise as a “magic packet.” On Thursday, researchers revealed {that a} never-before-seen backdoor that quietly took maintain of dozens of enterprise VPNs operating Juniper Community’s Junos OS has been doing simply that.
J-Magic, the monitoring identify for the backdoor, goes one step additional to forestall unauthorized entry. After receiving a magic packet hidden within the regular stream of TCP site visitors, it relays a problem to the system that despatched it. The problem comes within the type of a string of textual content that’s encrypted utilizing the general public portion of an RSA key. The initiating occasion should then reply with the corresponding plaintext, proving it has entry to the key key.
Open sesame
The light-weight backdoor can be notable as a result of it resided solely in reminiscence, a trait that makes detection more durable for defenders. The mixture prompted researchers at Lumen Know-how’s Black Lotus Lab to sit down up and take discover.
“Whereas this isn’t the primary discovery of magic packet malware, there have solely been a handful of campaigns in recent times,” the researchers wrote. “The mixture of focusing on Junos OS routers that function a VPN gateway and deploying a passive listening in-memory solely agent, makes this an fascinating confluence of tradecraft worthy of additional statement.”
The researchers discovered J-Magic on VirusTotal and decided that it had run contained in the networks of 36 organizations. They nonetheless don’t know the way the backdoor bought put in. Right here’s how the magic packet labored:
The passive agent is deployed to quietly observe all TCP site visitors despatched to the system. It discreetly analyzes the incoming packets and watches for one in every of 5 particular units of information contained in them. The circumstances are obscure sufficient to mix in with the conventional stream of site visitors that community protection merchandise gained’t detect a menace. On the similar time, they’re uncommon sufficient that they’re not more likely to be present in regular site visitors.
