Security researchers at Mandiant have discovered Chinese hackers deploying sophisticated backdoors on end-of-life Juniper Networks Junos OS MX routers. The attacks, attributed to the China-linked espionage group UNC3886, involve six custom backdoor variants based on the open-source TinyShell malware.

## Sophisticated Attack Methodology

UNC3886, known for leveraging zero-day vulnerabilities against virtualization platforms and networking devices, accessed the routers through compromised terminal servers. The threat actors used stolen credentials to gain access to the Junos OS command-line interface before escalating to FreeBSD shell mode.

Despite Junos OS having a file integrity system called ‘Veriexec’ designed to prevent unauthorized code execution, the attackers circumvented this protection by injecting malicious code into legitimate processes’ memory.

## Six Custom Backdoors Deployed

The attackers installed six TinyShell-based backdoors, each with distinct communication methods and separate command-and-control servers:

1. **appid** – Active backdoor mimicking the legitimate ‘appidd’ process
2. **to** – Active backdoor mimicking the ‘top’ process
3. **irad** – Passive backdoor activated by a magic ICMP string
4. **jdosd** – Passive backdoor listening on UDP port 33512
5. **oemd** – Passive backdoor with AES-encrypted communications
6. **lmpad** – Utility backdoor that disables logging and security monitoring

## Recommended Mitigations

Since these attacks target end-of-life devices, organizations should:
– Replace outdated Juniper MX routers with supported models
– Update firmware on all network devices
– Implement centralized Identity & Access Management systems
– Enforce multi-factor authentication for network device access

Juniper has published a bulletin with mitigation recommendations and updated signatures for its Juniper Malware Removal Tool (JMRT). Indicators of compromise and detection rules are available in Mandiant’s report.