- Security researchers wear a new piece of malware called J-Magic
- Listen to traffic in advance of a “magic package”
- Once detected, J-Magic begins the deployment of a back door
Computer pirates have been found to companies in the sectors of semiconductors, energy, manufacturing and IT, with a unique piece of malware called J-Magic, experts have warned.
A new report by the Black Lotus team of Lumen Technologies revealed that the unidentified threat actors are reused CD00R, a stealth rear door Trojan designed to provide unauthorized access to a system, initially designed as an open source concept test for purposes educational and researchers in cybersecurity. .
The reused Trojan, called “J-Magic”, was being deployed in business degree juniper routers that serve as VPN bond doors. The researchers do not know how the final points were infected, but in any case, the Trojan was sitting in silence until the attackers sent him a “magical” TCP package.
Seaspy2 and CD00R
“If any of these parameters or” magical packages “are received, the agent sends a secondary challenge. Once that challenge is completed, J-Magic establishes a reverse shell in the local file system, which allows operators to control The device, steal data or implement malicious software, ”explained the researchers.
The campaign was first seen in September 2023 and lasted approximately until mid -2014. Black Lotus could not say who the threat actors were, but they said that the elements of the activity “share some technical indicators” with a subset of reports Previous about a family of malware called Seaspy2.
“However, we don’t have enough data points to link these two campaigns with great confidence,” they said.
In any case, Seaspy2 is also based on CD00R, and works in a similar way: scan for magical packages. This persistent and passive rear door, disguised as a legitimate barracuda service called “Barracudamailservice”, allows threat actors to execute arbitrary commands in the compromised email of email gateway appliances compromised email (ESG).
Apparently, Seaspy was built by UNC4841, a Chinese threat actor.
Through Bleepingcomputer
