A recent supply chain attack targeted the JAVS Viewer 837 program within the JAVS Suite 8 product, enabling threat actors to gain control over user systems.
Description
The backdoor [1] [2] [3] [4] [6], known as GateDoor/Rustdoor malware [1] [2] [4] [5] [6], was signed with an Authenticode certificate from “Vanguard Tech Limited,” a separate entity from Justice AV Solutions Inc. This backdoor connected to remote servers to exfiltrate sensitive data and execute PowerShell scripts on infected devices. Rapid7 researchers traced the malicious binary back to a download from the official JAVS site on March 5, 2024. Additionally, three more malicious payloads were discovered on the attacker’s command and control infrastructure [5], indicating ongoing updates by the threat actors. In response, JAVS promptly released a new version of the JAVS Viewer to mitigate the issue [1], identifying the incident as CVE-2024-4978 [1]. Analysts have warned of potential long-term consequences, such as compromised systems and stolen passwords, urging users to update to version 838 or higher [4], conduct a full system reimage [4], and reset all associated credentials to eliminate any threats [4].
Conclusion
Users with JAVS Viewer v837 installed are at high risk due to a backdoored installer that allows attackers to gain full control of affected systems [3]. Rapid7 recommends completely re-imaging affected endpoints and resetting associated credentials to prevent attackers from persisting through backdoors or stealing credentials [3]. The backdoored installer was identified through an investigation by Rapid7 analysts [3], who traced the infection back to a binary named JAVS Viewer Setup 837250-1.exe downloaded from the official JAVS site on March 5th [3]. The installer was signed with an unexpected Authenticode signature and contained the binary fffmpeg.exe [2] [3], which executed encoded PowerShell scripts [3]. The researchers linked the backdoor to the GateDoor/Rustdoor malware [6], which was identified by security firm S2W [6]. The malware was being hosted on the official website of JAVS [6], and the attackers were actively updating their C2 infrastructure [6]. Two malicious JAVS Viewer packages were discovered on the vendor’s server [2], signed with a certificate issued on February 10 [2]. Indicators of Compromise (IoC) were published by Rapid7 [2], detailing the attack timeline and identifying additional malicious payloads hosted on the threat actor’s C2 infrastructure [2]. The software used in judicial environments contains an installer with a backdoor that allows attackers to gain full control of user systems. The issue affects customers who have installed Justice AV Solutions (JAVS) Viewer v837, used in US courts, chambers, and jury rooms, as well as in jails and prisons. Rapid7 found that the fffmpeg.exe binary associated with the GateDoor/Rustdoor malware family was downloaded from the official JAVS site on March 5, 2024. Attackers can steal credentials and deploy backdoors or additional malware, facilitating unauthorized remote access and communication with a C2 server. Users of JAVS Viewer 837 are advised to reimage endpoints where the software was installed, reset credentials, and manually search for the ffmeg.exe file. JAVS removed all versions of Viewer 837 from its website, reset passwords, and conducted a comprehensive internal audit of all JAVS systems, recommending users to verify the digital signature of any installed JAVS software and stay up to date with all software versions and security patches.
References
[1] https://www.techspot.com/news/103151-popular-recording-software-used-courtrooms-infected-password-stealing.html
[2] https://ciso2ciso.com/malware-laced-javs-viewer-deploys-rustdoor-implant-in-supply-chain-attack-source-securityaffairs-com/
[3] https://vuink.com/post/encvq7-d-dpbz/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack
[4] https://www.cyberdaily.au/security/10628-courtroom-av-software-firm-warns-of-supply-chain-attack
[5] https://www.infosecurity-magazine.com/news/courtroom-software-vulnerable/
[6] https://secoperations.wordpress.com/2024/05/27/malware-laced-javs-viewer-deploys-rustdoor-implant-in-supply-chain-attack/
