Backdoor infecting VPNs used “magic packets” for stealth and security
1 min read
Summary
A newly discovered backdoor, which has affected dozens of enterprise VPNs running on Juniper Networks’ Junos OS, is using a ‘magic packet’ technique to counter unauthorised access to the malware, according to researchers at Lumen Technology’s Black Lotus Labs.
The backdoor, dubbed ‘J-Magic’, resides in memory, making detection difficult, and waits for a packet, embedded in normal TCP traffic, that triggers it to encrypt a challenge using the public part of an RSA key.
The backdoor then requires the correct respondent to respond with the corresponding plaintext, proving they have access to the secret key.
The technique is a “tradecraft worthy of further observation”, according to the researchers, however, they are still unsure of how the malware is installed.
The finding demonstrates that malware developers are constantly striving to develop and innovate their evasion techniques in order to stay ahead of the game.
