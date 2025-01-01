Backdoor infecting VPNs used "magic packets" for stealth and security:
When threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work can't be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives what's known in the business as a "magic packet." On Thursday, researchers revealed that a never-before-seen backdoor that quietly took hold of dozens of enterprise VPNs running Juniper Network's Junos OS has been doing just that.
J-Magic, the tracking name for the backdoor, goes one step further to prevent unauthorized access. After receiving a magic packet hidden in the normal flow of TCP traffic, it relays a challenge to the device that sent it. The challenge comes in the form of a string of text that's encrypted using the public portion of an RSA key. The initiating party must then respond with the corresponding plaintext, proving it has access to the secret key.
The lightweight backdoor is also notable because it resided only in memory, a trait that makes detection harder for defenders. The combination prompted researchers at Lumin Technology's Black Lotus Lab to sit up and take notice.
[...] The researchers found J-Magic on VirusTotal and determined that it had run inside the networks of 36 organizations. They still don't know how the backdoor got installed. Here's how the magic packet worked:
The passive agent is deployed to quietly observe all TCP traffic sent to the device. It discreetly analyzes the incoming packets and watches for one of five specific sets of data contained in them. The conditions are obscure enough to blend in with the normal flow of traffic that network defense products won't detect a threat. At the same time, they're unusual enough that they're not likely to be found in normal traffic.
Those conditions are:
Condition 1:
- at offset 0x02 from the start of the TCP options shows the following two-byte sequence: "1366"
- the TCP options must be at least 4 bytes in size
- the attacker IP address will be in the "Sequence Number" field of the TCP header
- the destination port number equals 443
Condition 2:
- the source port of the TCP header must contain the following two-byte sequence "36429"
- the attacker IP address will be in the Sequence Number field of the TCP header
- the destination port number equals 443
Condition 3:
- the payload data following the IP and TCP headers starts with the four-byte string: Z4vE
- the attacker IP address will immediately follow the four-byte string: 0x04
- the attacker port number will immediately follow the IP address at offset 0x08
Condition 4:
- at offset 0x08 within the TCP header, the option field starts the following two-byte sequence "59020"
- at offset 0xA within the TCP options starts the attacker IP address
- the destination port number equals 443
Condition 5:
- offset 0x08 within the TCP options starts the following two-byte sequence "59022"
- offset 0xA within the TCP options starts the attacker IP address
- the attacker port number will follow the attacker IP at offset 0x0E from the start of the TCP option
Black Lotus Labs wrote:
If any of the remote IP addresses match on one of the five predefined conditions above, it moves to spawn a reverse shell. The reverse_shell function forks, creating a child process and renames it to [nfsiod 1]. Next it enters a loop that will connect back to the IP and port retrieved from the packet filter, using SSL. It creates a random alphanumeric string that is five characters long. This random string is encrypted using a hardcoded public RSA key.
It sends the encrypted five-character string as a challenge to the supplied IP/port combo. The response from the IP is compared to the previously created random string. If they are not equal, the connection is closed. If the strings are equal, then a shell is created with the command prompt "" until it receives the exit command. This would allow them to run arbitrary commands on the impacted device.
The reason for the RSA challenge in J-Magic is likely to prevent other attackers from spraying magic packets all over the Internet to enumerate infected networks and then use the backdoor for their own competing purposes. Black Lotus Labs said a backdoor used in 2014 by Russian-state threat group Turla also used such a challenge.
Magic packets give backdoors more stealth because the malware doesn't need to open a specific port to listen for incoming connections. Defenders routinely scan their networks for such ports. If they spot an open port they don't recognize, it's likely the infection will be detected. Backdoors like J-Magic listen to all incoming data and search for tiny specks of it that meet certain conditions.
[...] Black Lotus has determined that J-Magic was active from mid-2023 until at least mid-2024. Targets came from a wide array of industries, including semiconductor, energy, manufacturing, and IT verticals.