The China-Naxus cyber espionage group, which was tracked as UnC3886, has been seen targeting the end-off-life MX router from the Junipar network as part of the campaign designed to deploy the custom backdoor, which highlights their ability to focus on internal networking infrastructure.
Google-owned Mandient said in a report shared with hacker news, “Backdars had different custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device.”
The Threat Intelligence firm described development as the development of anti-tradecraft, which historically has taken advantage of zero-day weaknesses in Fortinet, Ivanti and VMware equipment, to violate the network of interest and establish firmness for distance access.
Earlier in September 2022, the evaluation of the hacking crew is capable of being “highly proficient” and targeting edge equipment and virtue technologies with the ultimate goal of violation of defense, technology and telecom organizations located in the United States and Asia.
These attacks typically take advantage of the fact that such network circumference devices lack safety monitoring and detection solutions, allowing them to attract and attract without attention.
“The compromise of routing equipment is a recent trend in the strategy of the detective-inspired opponents as it provides a long-term, high-level access to a long-term, high-level access to the important routing infrastructure, with the ability of more disruptive functions in the future,” the mandient said.
The latest activity spotted in mid-2024 involves the use of implants that are based on tinicheles, a C-based backdoor to be used in the past to use by various Chinese hacking groups such as Liminal Panda and Velvet Ant.
Mandiant said that it identified six separate tinichel -based backdoor, each taking a unique potential –
- Appid, which supports the file upload/download, interactive shell, sox proxy, and configuration change (eg, command-end-control server, port number, network interface, etc.).
- Which, which is similar to appid, but with a separate set of hard-coded C2 servers
- IRAD, a passive back door that serves as a Libpcap-based packet sniper to remove the command to execute the device from the ICMP packet
- LMPAD, a utility and a passive back door that can launch an external script to inject the process in valid junos OS procedures for stall logging
- JDOSD, which applies a UDP backdoor with file transfer and remote shell capabilities
- OEMD, a passive backdoor that communicates with the C2 server through TCP and supports the standard Tinyshell command to upload/download files and execute a shell command
It is also remarkable to take steps to execute the malware bypassing the verified executed (Veriexac) security of the Juneos OS, which prevents the incredible code from being executed. It is completed by obtaining a privileged access from a terminal server to a router used for the management of network devices using valid credentials.
High permissions are then used to inject malicious payloads in memory of a valid cat process, resulting in execution of LMPAD backdoor while Veriexec is enabled.
“The main objective of this malware is to disable all possible logs before joining the router to perform the activities on the hands and then restore the log after the operator disconnects,” the mandient said.
Some other devices deployed by UnC3886 include Rootkit such as reptiles and Medusa; Capture pithook to hijack ssh certification and ssh credentials; And Ghosttown for anti-forensic purposes.
Organizations are recommended to upgrade their juniper equipment in the latest images released by Junipar Network, including mitigation and updated signatures for Junipar Malware Removal Tools (JMRT).
A month after the Lumen Black Lotus Labs surfaced, it has developed that the Enterprise-Grade Junipar Network router has become the goal of a custom backdor, which has been dubbed as J-Magic dubbed as a campaign, distributing a type of known backdor called CD00R.
“Malware deployed at Junipar Network’s Zunos OS router suggests that UnC3886 has intensive knowledge of the advanced system internal,” the mandient researchers said.
“In addition, the UNC3886 continues to prioritize secret in its operation through the use of the passive backdoor, along with tampering with logs and forensic artifacts, indicates focusing on long -term persistence, while reducing the risk of detection.”
