When threat actors use backdoor malware to gain access to a network, they want to ensure that all their hard work cannot be used by competing groups or detected by defenders. A countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives what is known in the business as a “magic package.” On Thursday, researchers revealed that an unprecedented backdoor that quietly controlled dozens of Enterprise VPNs running Juniper Network's Junos OS did just that.
J-Magic, the nickname for the back door, goes one step further to prevent unauthorized access. After receiving a magic packet hidden in the normal flow of TCP traffic, it issues a challenge to the device that sent it. The challenge comes in the form of a string of text encrypted using the public portion of an RSA key. The initiating party must then respond with the corresponding plaintext, proving that it has access to the secret key.
Open sesame
The lightweight backdoor is also notable because it only lived in memory, a feature that makes detection more difficult for defenders. The combination caused researchers at Lumin Technology's Black Lotus Lab to sit up and take notice.
“While this is not the first discovery of magic package malware, there have only been a handful of campaigns in recent years,” the researchers wrote. “The combination of targeting Junos OS routers to serve as a VPN gateway and implementing a passive listen in Memory Agent only makes this an interesting confluence of TradeCraft worthy of further observation.”
The researchers found J-Magic on Virustotal and determined that it had been run in the networks of 36 organizations. They still don't know how the back door was installed. This is how the magic package worked:
The passive agent is deployed to silently observe all TCP traffic to the device. It discreetly analyzes the incoming packets and watches for one of the five specific sets of data contained within it. The circumstances are obscure enough to blend in with the normal flow of traffic that network defense products will not detect a threat. At the same time, they are unusual enough that they are unlikely to be found in normal traffic.
