JAVS

A software creator catering to over 10,000 courtrooms worldwide released an application update containing a covert backdoor that established continuous communication with a malicious website, as informed by researchers on Thursday, in the latest incident of a supply-chain attack.

The software, named the JAVS Viewer 8, is an element of the JAVS Suite 8, a suite that courtrooms utilize to document, replay, and handle audio and video from proceedings. Produced by Justice AV Solutions based in Louisville, Kentucky, the company affirms its products are utilized in over 10,000 courtrooms across the US and 11 other nations. The establishment has been operational for 35 years.

High-risk scenario for JAVS Viewer users

Analysts from security firm Rapid7 stated that a version of the JAVS Viewer 8 available for download on javs.com included a backdoor that offered an anonymous threat actor continual access to compromised devices. The malicious download, embedded within an executable file that installs the JAVS Viewer version 8.3.7, was accessible no later than April 1, as per a post on X (previously Twitter). The timing of when the adulterated version was eliminated from the company’s download page remains uncertain. The JAVS team did not promptly address inquiries sent via email.

“Users with version 8.3.7 of the JAVS Viewer executable installed are in a precarious situation and should take immediate measures,” outlined the Rapid7 researchers – Ipek Solak, Thomas Elkins, Evan McCann, Matthew Smith, Jake McMahon, Tyler McGraw, Ryan Emmons, Stephen Fewer, and John Fenninger. “This version includes a backdoored installer granting assailants complete control over affected systems.”

The installer file went by the name JAVS Viewer Setup 8.3.7.250-1.exe. Upon execution, it replicated the binary file fffmpeg.exe to the file path C:Program Files (x86)JAVSViewer 8. To sidestep security alerts, the installer possessed a digital signature, albeit issued to an entity termed “Vanguard Tech Limited” instead of “Justice AV Solutions Inc.,” the authenticating entity utilized for legitimate JAVS software.

fffmpeg.exe, in subsequent stages, utilized Windows Sockets and WinHTTP to initiate communications with a command-and-control server. After a successful connection was established, fffmpeg.exe dispatched the server passwords acquired from browsers and details about the compromised host, such as hostname, specifics of the operating system, processor architecture, program working directory, and the username.

The analysts conveyed that fffmpeg.exe also fetched the file chrome_installer.exe from the IP 45.120.177.178. Post-retrieval, chrome_installer.exe launched a binary and a series of Python scripts responsible for pilfering the passwords saved in browsers. fffmpeg.exe is linked to a notorious malware family identified as GateDoor/Rustdoor. The exe file had already triggered alerts from 30 endpoint defense mechanisms.

A screenshot from VirusTotal showing detections from 30 endpoint protection engines.
Enlarge / A screenshot from VirusTotal showing detections from 30 endpoint protection engines.

Rapid7

The detection count had risen to 38 by the time of this publication.

The analysts cautioned that the decontamination process for compromised devices necessitates diligence. They advised:

To resolve this matter, affected users must:

  • Reimage all endpoints where JAVS Viewer 8.3.7 was installed. A mere uninstallation of the software is insufficient, as malefactors may have inserted additional backdoors or malware. Re-imaging provides a clean slate.
  • Reset credentials for any accounts utilized on affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period of JAVS Viewer 8.3.7 installation. Attackers could have filched credentials from compromised systems.
  • Reset credentials employed in web browsers on impacted endpoints. Browser sessions might have been seized to purloin cookies, stored passwords, or other confidential data.
  • Install the most recent edition of JAVS Viewer (8.3.8 or above) post re-imaging impacted systems. The new version lacks the backdoor present in 8.3.7.

Fully re-imaging the impacted endpoints and resetting associated credentials is crucial to prevent assailants from persisting through backdoors or siphoning off credentials. All organizations running JAVS Viewer 8.3.7 must urgently implement these measures to tackle the compromise.

The Rapid7 write-up comprised a statement from JAVS affirming the malignancy of the installer for version 8.3.7 of the JAVS viewer.

“We withdrew all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted an exhaustive internal audit of all JAVS systems,” mentioned the statement. “We have verified that all presently available files on JAVS.com are genuine and free of malware. Moreover, we confirmed that no JAVS source code, certificates, systems, or other software releases were compromised in this incident.”

The statement did not elucidate how the installer became available for download on their site. It also did not mention whether the company engaged an external firm to probe the matter.

The occurrence signifies the most recent example of a supply-chain attack, a tactic that alters a genuine service or software with the objective of infecting all downstream users. Typically, such attacks commence with a breach of the service or software provider. While there isn’t a foolproof method to prevent such attacks, one potentially useful practice is to scrutinize a file via VirusTotal before running it. Adhering to such advice would have served JAVS users well.