Juniper VPN gateways targeted by stealthy "magic" malware

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

(Image credit: Shutterstock)

Security researchers spot new piece of malware called J-Magic
It listens to traffic in anticipation of a "magic package"
Once detected, J-Magic initiates the deployment of a backdoor

Hackers have been found targeting companies in the semiconductor, energy, manufacturing, and IT sectors, with a unique piece of malware called J-magic, experts have warned.

A new report from the Black Lotus Team at Lumen Technologies revealed unnamed threat actors repurposed cd00r - a stealthy, backdoor Trojan designed to provide unauthorized access to a system, initially designed as an open source proof-of-concept for educational and research purposes in cybersecurity.

The repurposed Trojan, dubbed “J-magic”, was being deployed to enterprise-grade Juniper routers serving as VPN gateways. The researchers don’t know how the endpoints got infected, but in any case, the Trojan was sitting silently until the attackers sent it a “magic” TCP package.

SeaSpy2 and cd00r

“If any of these parameters or “magic packets” are received, the agent sends back a secondary challenge. Once that challenge is complete, J-magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software,” the researchers explained.

The campaign was first spotted in September 2023, and lasted roughly until mid-2024. Black Lotus could not say who the threat actors were, but said that elements of the activity “share some technical indicators” with a subset of prior reporting on a malware family named SeaSpy2.

“However, we do not have enough data points to link these two campaigns with high confidence,” they said.

In any case, SeaSpy2 is also built on cd00r, and works in similar fashion - scanning for magic packets. This persistent, passive backdoor, masqueraded as a legitimate Barracuda service called "BarracudaMailService," allows threat actors to execute arbitrary commands on compromised Barracuda Email Security Gateway (ESG) appliances.

SeaSpy was apparently built by UNC4841, a Chinese threat actor.

Via BleepingComputer

UnitedHealth confirms major cyberattack, says hackers stole "substantial" amount of patient data
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.