- Security researchers see new malware called J-Magic
- He listens to traffic in anticipation of a “magic package”
- Once detected, J-Magic initiates the deployment of a stolen door
Pirates have been found targeting companies in the sectors of semiconductors, energy, manufacturing and IT, with a unique piece of malicious software called J-Magic, warned experts.
A new report by the Lumen Technologies Black Lotus team revealed that actors in the anonymous threat have reassured the CD00R – a stealthy and detrimental work horse.
The reused Trojan horse, nicknamed “J-Magic”, was deployed on juniper routers of business quality serving as VPN bridges. The researchers do not know how the ending points were infected, but in any case, the Troy was sitting silently until the attackers send him a “magical” TCP package.
Seaspy2 and CD00R
“If one of these parameters or” magic packages “is received, the agent returns a secondary challenge. Once this challenge is completed, J-Magic establishes an inverted shell on the local file system, allowing operators to control the device, steal data or deploy malware, “said the researchers.
The campaign was spotted for the first time in September 2023 and lasted approximately until mid-2012. Black Lotus could not say who were the threats of the threat, but said that the elements of the activity “share certain technical indicators” with a subset of prior reports on a family of malware named Seaspy2.
“However, we do not have enough data points to link these two campaigns to great confidence,” they said.
In all cases, Seaspy2 is also built on CD00R and operates in the same way – the digitization of magic packages. This persistent passive stolen door, masked as a legitimate barracuda service called “BarracudamailService”, allows threat actors to execute arbitrary orders on safety gateway devices by E-mail Barracuda Compromis (ESG).
Seaspy was apparently built by UNC4841, a Chinese threat actor.
Via Bleeping Compompute
