Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
The backdoors are primarily variants of the TinyShell malware, an open-source tool that facilitates data exchange and command execution on Linux systems, and which has been used by multiple threat groups over the years.
The attacks were discovered in mid-2024 by Mandiant, who attributed the attacks to a cyberespionage threat actor known as UNC3886.
“In mid 2024, Mandiant discovered threat actors deployed custom backdoors operating on Juniper Networks’ Junos OS routers,” explains a new report by Mandiant.
“Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL based backdoors operating on Juniper Networks’ Junos OS routers.”
This threat actor is known for sophisticated attacks utilizing zero-day vulnerabilities to compromise virtualization platforms and edge networking devices.
In 2023, Chinese hackers were behind a series of attacks on government organizations using a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy custom backdoors. Later that year, the threat actors exploited a VMware ESXi zero-day vulnerability to backdoor ESXi hosts.
Attacking Juniper routers with 6 backdoors
Mandiant has observed UNC3886 attacks starting from terminal servers used for managing network devices, where the threat actors used compromised credentials to access the Junos OS CLI and escalate to FreeBSD shell mode.
The researchers note that Junos OS has a file integrity system named ‘Veriexec’ that prevents unauthorized code from running on devices. However, they discovered that code injected into trusted processes could still be executed.
“Veriexec protection prevents unauthorized binaries from executing. This poses a challenge for threat actors, as disabling veriexec can trigger alerts,” explains the Mandiant researchers.
“However, execution of untrusted code is still possible if it occurs within the context of a trusted process. Mandiant’s investigation revealed that UNC3886 was able to circumvent this protection by injecting malicious code into the memory of a legitimate process.”
Utilizing this method, UNC3886 installed the six custom backdoors on the MX routers, all based on TinyShell:
- appid – Active backdoor which mimics the legitimate process’ appidd.’ It establishes a remote shell session, allows uploading/downloading files, and can act as a proxy for malicious traffic.
- to – Active backdoor which mimics the legitimate process’ top.’ It functions similarly to appid but uses different command-and-control (C2) addresses.
- irad – A passive backdoor that mimics the legitimate process’ irad.’ It operates as a packet sniffer backdoor, remaining dormant until activated by a magic ICMP string embedded in network traffic. Once triggered, it establishes a remote shell session while evading traditional detection methods.
- jdosd – A passive backdoor that mimics the legitimate ‘jddosd’ process. It listens on UDP port 33512 and activates when it receives a magic value (0xDEADBEEF) from the attacker. Once enabled, it provides remote shell access, allowing attackers to execute commands covertly.
- oemd – Passive backdoor which mimics the legitimate process ‘oamd.’ It is designed to be network-activated, binding itself to specific network interfaces rather than a fixed port. It communicates with C2 over TCP using AES encryption to ensure stealthy, encrypted control.
- lmpad – A utility and passive backdoor that mimics the legitimate ‘lmpd’ process. It is primarily used to turn off logging and security monitoring before an attack, modifying Juniper’s SNMP and management daemons to prevent detection. After attacker operations, it can restore logs, erasing forensic traces of the intrusion.
For stealth and persistence, each of the six backdoors used by UNC3886 in the attacks has a distinct C2 communication method and uses a separate set of hardcoded C2 server addresses.
Given that UNC3886 targets end-of-life Juniper MX routers, the priority should be replacing these devices with new models that are actively supported and then upgrading those to the latest firmware.
Although Juniper did not release fixes this time, the vendor published a bulletin that includes mitigation recommendations and updated signatures for its Juniper Malware Removal Tool (JMRT).
System administrators should also strengthen authentication security by using a centralized Identity & Access Management (IAM) system and enforcing multi-factor authentication (MFA) for all network devices.
A complete list of the indicators of compromise (IoCs) related to this campaign and YARA and Snort/Suricata rules are provided at the bottom of Mandiant’s report.
Juniper routers were also previously targeted in J-Magic malware attacks that opened a reverse shell to the device when it received specially crafted packets. This campaign was designed for low-detection and long-term access to corporate networks.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
