A "COMPLETELY INVISIBLE" BACKDOOR Backdoor infecting VPNs used magic packets for stealth and security J-Magic backdoor infected organizations in a wide array of industries. Dan Goodin Jan 23, 2025 6:42 pm | 5 Credit: Getty Images Credit: Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreWhen threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work cant be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives whats known in the business as a magic packet. On Thursday, researchers revealed that a never-before-seen backdoor that quietly took hold of dozens of enterprise VPNs running Juniper Networks Junos OS has been doing just that.J-Magic, the tracking name for the backdoor, goes one step further to prevent unauthorized access. After receiving a magic packet hidden in the normal flow of TCP traffic, it relays a challenge to the device that sent it. The challenge comes in the form of a string of text thats encrypted using the public portion of an RSA key. The initiating party must then respond with the corresponding plaintext, proving it has access to the secret key.Open sesameThe lightweight backdoor is also notable because it resided only in memory, a trait that makes detection harder for defenders. The combination prompted researchers at Lumin Technologys Black Lotus Lab to sit up and take notice.While this is not the first discovery of magic packet malware, there have only been a handful of campaigns in recent years, the researchers wrote. The combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory only agent, makes this an interesting confluence of tradecraft worthy of further observation.The researchers found J-Magic on VirusTotal and determined that it had run inside the networks of 36 organizations. They still dont know how the backdoor got installed. Heres how the magic packet worked:The passive agent is deployed to quietly observe all TCP traffic sent to the device. It discreetly analyzes the incoming packets and watches for one of five specific sets of data contained in them. The conditions are obscure enough to blend in with the normal flow of traffic that network defense products wont detect a threat. At the same time, theyre unusual enough that theyre not likely to be found in normal traffic.Those conditions are:Condition 1:at offset 0x02 from the start of the TCP options shows the following two-byte sequence: 1366the TCP options must be at least 4 bytes in sizethe attacker IP address will be in the Sequence Number field of the TCP headerthe destination port number equals 443Condition 2:the source port of the TCP header must contain the following two-byte sequence 36429the attacker IP address will be in the Sequence Number field of the TCP headerthe destination port number equals 443Condition 3:the payload data following the IP and TCP headers starts with the four-byte string: Z4vEthe attacker IP address will immediately follow the four-byte string: 0x04the attacker port number will immediately follow the IP address at offset 0x08Condition 4:at offset 0x08 within the TCP header, the option field starts the following two-byte sequence 59020at offset 0xA within the TCP options starts the attacker IP addressthe destination port number equals 443Condition 5:offset 0x08 within the TCP options starts the following two-byte sequence 59022offset 0xA within the TCP options starts the attacker IP addressthe attacker port number will follow the attacker IP at offset 0x0E from the start of the TCP optionBlack Lotus Labs wrote:If any of the remote IP addresses match on one of the five predefined conditions above, it moves to spawn a reverse shell. The reverse_shell function forks, creating a child process and renames it to [nfsiod 1]. Next it enters a loop that will connect back to the IP and port retrieved from the packet filter, using SSL. It creates a random alphanumeric string that is five characters long. This random string is encrypted using a hardcoded public RSA key.It sends the encrypted five-character string as a challenge to the supplied IP/port combo. The response from the IP is compared to the previously created random string. If they are not equal, the connection is closed. If the strings are equal, then a shell is created with the command prompt >> until it receives the exit command. This would allow them to run arbitrary commands on the impacted device.The reason for the RSA challenge in J-Magic is likely to prevent other attackers from spraying magic packets all over the Internet to enumerate infected networks and then using the backdoor for their own competing purposes. Black Lotus Labs said a backdoor used in 2014 by Russian-state threat group Turla also used such a challenge.Completely invisibleMagic packets give backdoors more stealth because the malware doesn't need to open a specific port to listen for incoming connections. Defenders routinely scan their networks for such ports. If they spot an open port they dont recognize, its likely the infection will be detected. Backdoors like J-Magic listen to all incoming data and search for tiny specks of it that meet certain conditions.The J-Magic agent is a variant of cd00r, a PoC first released in 2000 and updated in 2014. It was designed to, as the developer explained it, test the idea of a completely invisible (read: not listening) backdoor server. The same year cd00r was updated, security researchers found Turla implementing cd00r agent into its own custom backdoor.Magic packets have been in use for years. Threat actors working on behalf of the Chinese government and other nation-states have been caught doing the same thing, as have the developers of a proof-of-concept rootkit for infecting GPUs.Black Lotus Labs also said that the campaign using J-Magic overlaps with one from 2023 that used a backdoor, tracked as SeaSpy, that infected Barracuda mail servers. Both borrow heavily from cd00r, and both are developed to run on FreeBSD, the operating system used in both Barracuda and Juniper devices.Black Lotus has determined that J-Magic was active from mid-2023 until at least mid-2024. Targets came from a wide array of industries, including semiconductor, energy, manufacturing, and IT verticals.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 5 Comments