The so-called “J-Magic” malware installs a backdoor on Juniper Networks routers and specifically targets the JunoOS operating system. It mainly targets companies in the chip and energy sectors as well as IT in Europe and Latin America.
Researchers at Black Lotus Labs, the security division of Lumen Technologies, found that Juniper Networks routers were attacked with targeted malware between mid-2023 and 2024. This “J-Magic” malware is a variant of the open-source “cd00r” backdoor and is the basis for a so-called “reverse shell” attack.
The malware performs five different checks on preset parameters before activating. When the affected system receives one of these parameters or ‘magic packets,’ the malware sends a confirmation request. After confirmation, J-Magic installs a reverse shell on the local file system, which allows attackers to take over the device, in this case, routers. Through these compromised routers, data can be stolen or other malware spread. In particular, the malware targets JunoOS, Juniper Networks’ operating system.
Targets in Europe and Latin America
According to the researchers, routers configured as VPN gateways are particularly targeted by the malware. About half of the compromised routers fell into this category. J-Magic targets companies in sectors such as chip manufacturing, manufacturing, IT and energy, with companies in Europe and Latin America being specific targets. The attacks could potentially be part of a larger reconnaissance campaign.
The researchers say the malware found has similarities to an earlier cd00r variant called SeaSpy, which specifically targeted Barracuda Networks’ Email Security Gateways. Despite some similarities, the researchers assume that the J-Magic campaign is an independent operation.
Read more: Update: Barracuda Gateways hit again by security vulnerability
Network devices targeted more often
According to Black Lotus Labs, attacks on routers are becoming increasingly challenging for businesses. Instead of targeting end-user devices, hackers are increasingly focused on network devices. These devices often have fewer security measures and can provide significant access to corporate networks.
Malware for network devices is also becoming more sophisticated and better hidden, with the goal of long-term presence. Often, this malware nestles in memory, making detection difficult and allowing long-term access. Network devices at the edge of corporate networks, such as VPN gateways, are especially favored targets. Companies would also do well to focus their security efforts on these devices.
It is currently unclear whether a patch is available for this vulnerability in Juniper routers.
Also read: Juniper vulnerability enables takeover routers, patch available