Rapid7 researchers warned that threat actors added a backdoor to the installer for the Justice AV Solutions JAVS Viewer software.
The attackers were able to inject a backdoor in the JAVS Viewer v8.3.7 installer that is being distributed from the JAVS’ servers.
Justice AV Solutions (JAVS) is a U.S.-based company providing digital audio-visual recording solutions for courtroom settings and other environments, including jails, councils, and lecture rooms. The JAVS Viewer has over 10,000 installations globally. The backdoor delivered by the researchers allows attackers to gain full control of infected systems. Rapid7 experts recommend to re-image the affected systems, reset associated credentials, and install the latest version of JAVS Viewer (v8.3.8 or higher).
The researchers noticed that the installer for JAVS Viewer Setup 8.3.7.250-1.exe was digitally signed with an unexpected Authenticode signature and included a binary called fffmpeg.exe. The binary executed encoded PowerShell scripts, Rapid7 linked fffmpeg.exe to the /Rustdoor malware, which was identified by security firm S2W.
“Both the fffmpeg.exe binary and the installer binary are signed by an Authenticode certificate issued to “Vanguard Tech Limited”. This is unexpected, as it was noted that other JAVS binaries which appear legitimate are signed by a certificate issued to “Justice AV Solutions Inc”.” reads the published by Rapid7. “Searching VirusTotal for other files signed by “Vanguard Tech Limited” shows the following.
“The above suggests that there may be one other version of the malicious installer (SHA1: b8e97333fc1b5cd29a71299a8f82a541cabf4d59) and one other malicious fffmpeg.exe
(SHA1: b9d13055766d792abaf1d11f18c6ee7618155a0e). These binaries were first seen on the VirusTotal platform April 1, 2024.”
The researchers discovered
two malicious JAVS Viewer packages on the vendor’s server, they were signed with a certificate issued on February 10.On April 2, 2024, the X user @2RunJack2 first reported of the implant distributed by the official JAVS downloads page.
Rapid7 published Indicators of Compromise (IoC) for this attack, below is the attack timeline:
chrome_installer.exe
, firefox_updater.exe
, and OneDriveStandaloneUpdater.exe
.OneDriveStandaloneUpdater.exe
from C2 infrastructure and replaced it with a new binary, ChromeDiscovery.exe
. This indicates that the threat actor is actively updating their C2 infrastructure.Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, JAVS Viewer)