SoylentNews

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

Backdoor infecting VPNs used “magic packets” for stealth and security [arstechnica.com]:

Text settings

When threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work can’t be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives what’s known in the business as a “magic packet.” On Thursday, researchers revealed that a never-before-seen backdoor that quietly took hold of dozens of enterprise VPNs running Juniper Network’s Junos OS has been doing just that.

J-Magic, the tracking name for the backdoor, goes one step further to prevent unauthorized access. After receiving a magic packet hidden in the normal flow of TCP traffic, it relays a challenge to the device that sent it. The challenge comes in the form of a string of text that’s encrypted using the public portion of an RSA key. The initiating party must then respond with the corresponding plaintext, proving it has access to the secret key.

Open sesame

The lightweight backdoor is also notable because it resided only in memory, a trait that makes detection harder for defenders. The combination prompted researchers at Lumin Technology’s Black Lotus Lab to sit up and take notice.

“While this is not the first discovery of magic packet malware, there have only been a handful of campaigns in recent years,” the researchers wrote [lumen.com]. “The combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory only agent, makes this an interesting confluence of tradecraft worthy of further observation.”

The researchers found J-Magic on VirusTotal [virustotal.com] and determined that it had run inside the networks of 36 organizations. They still don’t know how the backdoor got installed. Here’s how the magic packet worked:

The passive agent is deployed to quietly observe all TCP traffic sent to the device. It discreetly analyzes the incoming packets and watches for one of five specific sets of data contained in them. The conditions are obscure enough to blend in with the normal flow of traffic that network defense products won’t detect a threat. At the same time, they’re unusual enough that they’re not likely to be found in normal traffic.

Those conditions are:

Condition 1:

• at offset 0x02 from the start of the TCP options shows the following two-byte sequence: “1366”
• the TCP options must be at least 4 bytes in size
• the attacker IP address will be in the “Sequence Number” field of the TCP header
• the destination port number equals 443

Condition 2:

• the source port of the TCP header must contain the following two-byte sequence “36429”
• the attacker IP address will be in the Sequence Number field of the TCP header
• the destination port number equals 443

Condition 3:

• the payload data following the IP and TCP headers starts with the four-byte string: Z4vE
• the attacker IP address will immediately follow the four-byte string: 0x04
• the attacker port number will immediately follow the IP address at offset 0x08

Condition 4:

• at offset 0x08 within the TCP header, the option field starts the following two-byte sequence “59020”
• at offset 0xA within the TCP options starts the attacker IP address
• the destination port number equals 443

Condition 5:

• offset 0x08 within the TCP options starts the following two-byte sequence “59022”
• offset 0xA within the TCP options starts the attacker IP address
• the attacker port number will follow the attacker IP at offset 0x0E from the start of the TCP option

Black Lotus Labs wrote:

If any of the remote IP addresses match on one of the five predefined conditions above, it moves to spawn a reverse shell. The reverse_shell function forks, creating a child process and renames it to [nfsiod 1]. Next it enters a loop that will connect back to the IP and port retrieved from the packet filter, using SSL. It creates a random alphanumeric string that is five characters long. This random string is encrypted using a hardcoded public RSA key.

It sends the encrypted five-character string as a challenge to the supplied IP/port combo. The response from the IP is compared to the previously created random string. If they are not equal, the connection is closed. If the strings are equal, then a shell is created with the command prompt “” until it receives the exit command. This would allow them to run arbitrary commands on the impacted device.

The reason for the RSA challenge in J-Magic is likely to prevent other attackers from spraying magic packets all over the Internet to enumerate infected networks and then use the backdoor for their own competing purposes. Black Lotus Labs said a backdoor used in 2014 by Russian-state threat group Turla also used such a challenge.

Completely invisible

Magic packets give backdoors more stealth because the malware doesn't need to open a specific port to listen for incoming connections. Defenders routinely scan their networks for such ports. If they spot an open port they don’t recognize, it’s likely the infection will be detected. Backdoors like J-Magic listen to all incoming data and search for tiny specks of it that meet certain conditions.

The J-Magic agent is a variant of cd00r, a PoC first released in 2000 and updated [archive.org] in 2014. It was designed to, as the developer explained it, “test the idea of a completely invisible (read: not listening) backdoor server.” The same year cd00r was updated, security researchers found [securelist.com] Turla implementing cd00r agent into its own custom backdoor.

Magic packets have been in use for years. Threat actors working on behalf of the Chinese government [arstechnica.com] and other nation-states [arstechnica.com] have been caught [arstechnica.com] doing the same thing, as have the developers of a proof-of-concept rootkit [arstechnica.com] for infecting GPUs.

Black Lotus Labs also said that the campaign using J-Magic overlaps with one from 2023 that used a backdoor, tracked as SeaSpy, that infected Barracuda mail servers [arstechnica.com]. Both borrow heavily from cd00r, and both are developed to run on FreeBSD, the operating system used in both Barracuda and Juniper devices.

Black Lotus has determined that J-Magic was active from mid-2023 until at least mid-2024. Targets came from a wide array of industries, including semiconductor, energy, manufacturing, and IT verticals.

Original Submission