Justice AV Solutions (JAVS), a leading provider of digital audio-visual recording solutions for courtrooms and other legal environments, is grappling with a severe cybersecurity breach. The widely used JAVS Viewer software, specifically version 8.3.7, has been found to contain a backdoor installer, putting users at significant risk.
A supply chain attack involves attackers introducing malicious components into the supply chain’s delivery process. This can occur at various stages, such as during design, manufacturing, or product finalisation. For instance, attackers exploit vulnerabilities to implant malicious code, automatically installed when the end user, such as a customer, uses the product.
On May 10, 2024, cybersecurity researchers detected suspicious activity traced to a binary named fffmpeg.exe within the JAVS Viewer v8.3.7 installation directory. The investigation revealed that the malicious binary was part of an installer package downloaded from the official JAVS website on March 5, 2024.
On further investigation, it was revealed that the installer package, JAVS Viewer Setup 8.3.7.250-1.exe, was signed with an unexpected Authenticode certificate issued to ‘Vanguard Tech Limited.’ Researchers found this unusual, as legitimate JAVS binaries are typically signed by ‘Justice AV Solutions Inc.’
“Users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action. This version contains a backdoored installer that allows attackers to gain full control of affected systems. Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials,” explained researchers from Rapid7.
Further examination of the installer uncovered the presence of the binary fffmpeg.exe, with executed encoded PowerShell scripts upon installation.
The scripts attempted to bypass Anti-Malware Scan Interface (AMSI) and disable Event Tracing for Windows (ETW) before downloading additional payloads.
The fffmpg.exe binary is associated with the GateDoor/Rustdoor family of malware, known for its ability to facilitate unauthorised remote access and control over compromised systems. The malware persistently communicated with a command-and-control (C2) server, transmitting detailed information about the host system, including hostname, operating system details, processor, architecture, working directory, and user information.
Researchers also identified additional binaries, such as chrome_installer.exe and firefox_updater.exe, on the threat actor’s C2 infrastructure, designed to drop and execute further malicious payloads.
“Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file. We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems. We confirmed all currently available files on the JAVS.com website are genuine and malware-free,” said the company in response to the incident.
The company and the researchers urged users to reimage any endpoints where JAVS Viewer 8.3.7 was installed, reset account credentials into affected endpoints and browsers, and install the latest version of JAVS Viewer (8.3.9 or higher).
In the News: Spotify discontinues Car Thing from December 9; offers no refunds
