- Security researchers spot new piece of malware called J-Magic
- It listens to traffic in anticipation of a “magic package”
- Once detected, J-Magic initiates the deployment of a backdoor
Hackers have been found targeting companies in the semiconductor, energy, manufacturing, and IT sectors, with a unique piece of malware called J-magic, experts have warned.
A new report from the Black Lotus Team at Lumen Technologies revealed unnamed threat actors repurposed cd00r – a stealthy, backdoor Trojan designed to provide unauthorized access to a system, initially designed as an open source proof-of-concept for educational and research purposes in cybersecurity.
The repurposed Trojan, dubbed “J-magic”, was being deployed to enterprise-grade Juniper routers serving as VPN gateways. The researchers don’t know how the endpoints got infected, but in any case, the Trojan was sitting silently until the attackers sent it a “magic” TCP package.
SeaSpy2 and cd00r
“If any of these parameters or “magic packets” are received, the agent sends back a secondary challenge. Once that challenge is complete, J-magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software,” the researchers explained.
The campaign was first spotted in September 2023, and lasted roughly until mid-2024. Black Lotus could not say who the threat actors were, but said that elements of the activity “share some technical indicators” with a subset of prior reporting on a malware family named SeaSpy2.
“However, we do not have enough data points to link these two campaigns with high confidence,” they said.
In any case, SeaSpy2 is also built on cd00r, and works in similar fashion – scanning for magic packets. This persistent, passive backdoor, masqueraded as a legitimate Barracuda service called “BarracudaMailService,” allows threat actors to execute arbitrary commands on compromised Barracuda Email Security Gateway (ESG) appliances.
SeaSpy was apparently built by UNC4841, a Chinese threat actor.
Via BleepingComputer
You might also like
- UnitedHealth confirms major cyberattack, says hackers stole “substantial” amount of patient data
- Here’s a list of the best firewalls around today
- These are the best endpoint security tools right now