Security researchers at Mandiant have discovered a series of custom backdoors deployed on end-of-life Juniper Networks Junos OS routers by a Chinese cyberespionage group that has historically targeted network devices.
According to Mandiant documentation, the backdoors were planted on end‑of‑life hardware and software and included bypasses for Junos OS’s veriexec subsystem, a kernel‑based file integrity protection mechanism.
Technical analysis shows that the attackers gained privileged access through legitimate credentials, entering the FreeBSD shell via the Junos OS CLI. Once inside, they employed process injection techniques to avoid triggering veriexec alerts.
“The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device,” Mandiant warned.
The hacking operation, tagged as UNC3886, is described as a China-nexus hacking operation that has historically targeted network devices and virtualization technologies with zero-day exploits.
The APT’s interests seem to be focused mainly on defense, technology, and telecommunication organizations located in the US and Asia, Mandiant said.
Mandiant researchers explained that the China-nexus group used a “here document” to generate a base64‑encoded file that was decoded into a compressed archive containing malicious payloads.
After analyzing memory from compromised routers, Mandiant discovered that the attackers injected payloads into a spawned process. The company identified six modified TINYSHELL‑based malware samples, each with unique activation methods and capabilities tailored to Junos OS, highlighting the hacking team’s detailed understanding of the system internals.
Mandiant said it observed the hackers targeting network authentication services, including the Terminal Access Controller Access-Control System (TACACS+), and terminal servers with access to the routers to gain privileged initial access.
“This privileged access allowed the threat actor to enter Junos OS shell mode and perform restricted operations. Investigating further actions taken by the threat actor was hampered by the challenges inherent in analyzing proprietary network devices, which required novel methods for artifact acquisition and analysis.”
The company released IOCs and YARA rules to help defender hunt for signs of infections. Mandiant is also recommending that organizations upgrade their Juniper devices to the latest images released by Juniper Networks, which includes mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT).
“Organizations should run the JMRT Quick Scan and Integrity Check after the upgrade,” Mandiant said.
Related: Juniper Networks Fixes High-Severity Vulnerabilities in Junos OS
Related: VMware vCenter Flaw So Critical, Patches Released for End-of-Life Products
Related: Juniper Warns of Mirai Botnet Targeting Session Smart Routers
Related: China’s Volt Typhoon Exploiting Zero-Day in Servers Used by ISPs, MSPs
