Malicious actors have backdoored the installer associated with courtroom video recording software developed by Justice AV Solutions (JAVS) to deliver malware that’s associated with a known backdoor called RustDoor.
The software supply chain attack, tracked as CVE-2024-4978, impacts JAVS Viewer v8.3.7, a component of the JAVS Suite 8 that allows users to create, manage, publish, and view digital recordings of courtroom proceedings, business meetings, and city council sessions.
Cybersecurity firm Rapid7 said it commenced an investigation earlier this month after discovering a malicious executable called “fffmpeg.exe” (note the three Fs) in the Windows installation folder of the software, tracing it to a binary named “JAVS Viewer Setup 8.3.7.250-1.exe” that was downloaded from the official JAVS site on March 5, 2024.
“Analysis of the installer JAVS Viewer Setup 8.3.7.250-1.exe showed that it was signed with an unexpected Authenticode signature and contained the binary fffmpeg.exe,” Rapid7 researchers said, adding it “observed encoded PowerShell scripts being executed by the binary fffmpeg.exe.”
Both fffmpeg.exe and the installer have been signed by an Authenticode certificate issued to “Vanguard Tech Limited,” as opposed to “Justice AV Solutions Inc,” the signing entity used to authenticate the legitimate versions of the software.
Upon execution, fffmpeg.exe establishes contact with a command-and-control (C&C) server using Windows sockets and WinHTTP requests in order to send information about the compromised host and await further instructions from the server.
It’s also designed to run obfuscated PowerShell scripts that attempt to bypass Antimalware Scan Interface (AMSI) and disable Event Tracing for Windows (ETW), after which it executes a command to download an additional payload that masquerades as an installer for Google Chrome (“chrome_installer.exe”) from a remote server.
This binary, in turn, contains code to drop Python scripts and another executable named “main.exe” and launch the latter with the aim of gathering credentials from web browsers. Rapid7’s analysis of “main.exe” found software bugs that prevented it from running properly.
RustDoor, a Rust-based backdoor malware, was first documented by Bitdefender earlier this February as targeting Apple macOS devices by mimicking an update for Microsoft Visual Studio as part of likely targeted attacks using job offering lures.
Subsequent analysis by South Korean cybersecurity company S2W unearthed a Windows version codenamed GateDoor that’s programmed in Golang.
“Both RustDoor and GateDoor have been confirmed to be distributed under the guise of normal program updates or utilities,” S2W researchers Minyeop Choi, Sojun Ryu, Sebin Lee, and HuiSeong Yang noted later that month. “RustDoor and GateDoor have overlapping endpoints used when communicating with the C&C server and have similar functions.”
There is infrastructure evidence to connect the malware family to a ransomware-as-a-service (RaaS) affiliate called ShadowSyndicate. However, it has also raised the possibility that they could be acting as a collaborator specializing in providing infrastructure to other actors.
The use of a trojanized JAVS Viewer installer to distribute a Windows version of RustDoor was previously also flagged by S2W on April 2, 2024, in a post on X (formerly Twitter). It’s currently not clear how the vendor’s site was breached and a malicious installer became available for download.
JAVS, in a statement provided to the cybersecurity vendor, said it identified a “potential security issue” with JAVS Viewer version 8.3.7, and that it pulled the impacted version from the website, reset all passwords, and conducted a full audit of its systems.
“No JAVS Source code, certificates, systems, or other software releases were compromised in this incident,” the American company said. “The file in question did not originate from JAVS or any third-party associated with JAVS. We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install.”
Users are advised to check for indicators of compromise (IoCs), and if found to be infected, completely re-image all affected endpoints, reset credentials, and update to the latest version of JAVS Viewer.