When threat actors use rear door malware to get access to a network, they want to make sure that all their hard work cannot be used by competitors or detected by defenders. A countermelted is to equip the rear door with a passive agent that remains inactive until it receives what is known in the business as a “magical package.” On Thursday, the researchers revealed that a rear door never seen before that silently seized dozens of business vpn who executed Junos de Juniper Network has been doing precisely that.
J-Magic, the rear door track name, goes one step further to avoid unauthorized access. After receiving a magical package hidden in the normal flow of TCP traffic, sends a challenge to the device that sent it. The challenge is presented in the form of an encrypted text chain using the public part of an RSA key. Next, the initiator must respond with the corresponding clear text, demonstrating that it has access to the secret key.
Open Sesame
The light back door is also remarkable because it resided only in memory, a characteristic that hinders detection for defenders. The combination led the Black Lotus Lab Lumen Technology researchers to sit down and take note.
“While this is not the first discovery of magic package malware, there has only been a handful of campaigns in recent years,” says the researchers. wrote. “The combination of aiming Junos routines that serve as a VPN gateway and deploying a passive listening agent only in memory, makes this an interesting confluence of decent techniques of greater observation.”
The researchers found J-Magic in Virustotal and determined that it had worked within the networks of 36 organizations. They still don’t know how the back door was installed. This is how the magic package worked:
The passive agent is implemented to silently observe all the TCP traffic sent to the device. Discreetly analyze the incoming packages and look for one of the five specific sets contained in them. The conditions are dark enough to mix with the normal traffic flow and the network defense products will not detect a threat. At the same time, they are unusual enough so that it is not likely to find them in normal traffic.