{"id":163683,"date":"2024-05-26T04:11:45","date_gmt":"2024-05-26T04:11:45","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=163683"},"modified":"2024-05-26T04:11:47","modified_gmt":"2024-05-26T04:11:47","slug":"supplay-chain-attack-javs-viewer","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/163683\/hacking\/supplay-chain-attack-javs-viewer.html","title":{"rendered":"Malware-laced JAVS Viewer deploys RustDoor implant in supply chain attack"},"content":{"rendered":"
<\/div>\n

Malicious actors compromised the JAVS Viewer installer to deliver the RustDoor malware in a supply chain attack.<\/h2>\n\n\n\n

Rapid7 researchers warned that threat actors added a backdoor to the installer for the Justice AV Solutions JAVS Viewer software.<\/gwmw><\/p>\n\n\n\n

The attackers were able to inject a backdoor\u00a0in the JAVS Viewer v8.3.7 installer that is being distributed from the JAVS\u2019 servers.<\/p>\n\n\n\n

Justice AV Solutions (JAVS) is a U.S.-based company providing digital audio-visual recording solutions for courtroom settings and other environments, including jails, councils, and lecture rooms. The JAVS Viewer has over 10,000 installations globally. The backdoor delivered by the researchers allows attackers to gain full control of infected systems. Rapid7 experts recommend to re-image the affected systems, reset associated credentials, and install the latest version of JAVS Viewer (v8.3.8 or higher). <\/p>\n\n\n\n

The researchers noticed that the installer for JAVS Viewer Setup 8.3.7.250-1.exe was digitally signed with an unexpected Authenticode signature\u00a0and included a binary called fffmpeg.exe. The binary executed encoded PowerShell scripts, Rapid7 linked fffmpeg.exe to the GateDoor<\/a>\/Rustdoor<\/a> malware, which was identified by security firm S2W.<\/gwmw><\/p>\n\n\n\n

“Both the\u00a0fffmpeg.exe\u00a0binary and the installer binary are signed by an Authenticode certificate issued to \u201cVanguard Tech Limited\u201d. This is unexpected, as it was noted that other JAVS binaries which appear legitimate are signed by a certificate issued to \u201cJustice AV Solutions Inc\u201d.” reads the report<\/strong><\/a> published by Rapid7. “Searching VirusTotal for other files signed by \u201cVanguard Tech Limited\u201d shows the following.<\/em><\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n


“The above suggests that there may be one other version of the malicious installer (SHA1: b8e97333fc1b5cd29a71299a8f82a541cabf4d59) and one other malicious\u00a0fffmpeg.exe<\/code>\u00a0(SHA1: b9d13055766d792abaf1d11f18c6ee7618155a0e). These binaries were first seen on the VirusTotal platform April 1, 2024.”<\/em><\/gwmw><\/p>\n\n\n\n

The researchers discovered<\/gwmw> two malicious JAVS Viewer packages on the vendor\u2019s server, they were signed with a certificate issued on February 10.<\/p>\n\n\n\n

On April 2, 2024, the X user @2RunJack2 first reported of the implant distributed by the official JAVS downloads page. <\/p>\n\n\n\n

\n

\ud83d\udea8Windows version of RustDoor alert!

\ud83d\udcf7The malware is being hosted on the official website of JAVS. The file is Viewer 8.3.7 Setup Executable – Version 8.3.7, and this file comes with a valid certificate. The Attacker has now developed a Windows version that merges with\u2026
https:\/\/t.co\/Vi2sxZveGQ<\/a><\/p>— \ud835\udcd9\ud835\udcea\ud835\udcec\ud835\udcf42 (@2RunJack2) April 2, 2024<\/a><\/blockquote>