S1203 J-magic
J-magic is a custom variant of the cd00r backdoor tailored to target Juniper routers that was first observed during the J-magic Campaign in mid-2023. J-magic monitors TCP traffic for five predefined parameters or “magic packets” to be sent by the attackers before activating on compromised devices.1
| Item | Value |
|---|---|
| ID | S1203 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 18 February 2025 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | The J-magic agent is executed through a command line argument which specifies an interface and listening port.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | J-magic can communicate back to send a challenge to C2 infrastructure over SSL.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.003 | Clear Command History | J-magic can overwrite previously executed command line arguments.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | J-magic can rename itself as “[nfsiod 0]” to masquerade as the local Network File System (NFS) asynchronous I/O server.1 |
| enterprise | T1040 | Network Sniffing | J-magic has a pcap listener function that can create an Extended Berkley Packet Filter (eBPF) on designated interfaces and ports.1 |
| enterprise | T1095 | Non-Application Layer Protocol | J-magic can monitor incoming C2 communications sent over TCP to the compromised host.1 |
| enterprise | T1016 | System Network Configuration Discovery | J-magic can compare the host and remote IPs to check if a received packet is from the infected machine.1 |
| enterprise | T1205 | Traffic Signaling | J-magic can monitor TCP traffic for packets containing one of five different predefined parameters and will spawn a reverse shell if one of the parameters and the proper response string to a subsequent challenge is received.1 |