A sophisticated malware campaign dubbed "J-magic" is actively targeting Juniper Networks routers, potentially compromising corporate networks worldwide. The attacks, first detected in September 2023, specifically focus on routers running the FreeBSD-based JunoOS operating system.
According to research by Lumen Technologies' Black Lotus Labs, the campaign employs a custom backdoor based on the cd00r variant that activates when detecting specially crafted "magic packets" in network traffic. Once triggered, the malware creates a reverse shell connection allowing attackers to take control of infected devices.
The campaign primarily targets enterprise Juniper routers configured as VPN gateways, which represent approximately 50% of affected devices. This strategic targeting gives attackers potential access to entire corporate networks.
Organizations across multiple sectors have been impacted, including:
- Manufacturing
- Semiconductor industry
- Information Technology
- Energy sector
The malware operates by:
- Installing a passive agent that monitors network traffic
- Watching for specific predefined packet parameters
- Creating a reverse shell when triggered
- Implementing a challenge-response authentication system
- Disguising itself as a legitimate system process
While similar to a previous campaign called SEASPY that targeted Barracuda mail servers in 2022, researchers note distinct differences in the malware's capabilities and operational security measures.
The targeting of enterprise network infrastructure with sophisticated, memory-resident malware represents an evolving threat. Organizations using Juniper routers should implement robust monitoring systems and maintain current security updates to protect against such attacks.
Black Lotus Labs has identified infections across 36 unique IP addresses globally, with particularly concentrated activity in Europe and South America. The campaign remains active and continues to pose risks to enterprise networks relying on Juniper routing infrastructure.