Malicious actors have backdoored the installer related to courtroom video recording software program developed by Justice AV Options (JAVS) to ship malware that is related to a recognized backdoor referred to as RustDoor.
The software program provide chain assault, tracked as CVE-2024-4978, impacts JAVS Viewer v8.3.7, a element of the JAVS Suite 8 that permits customers to create, handle, publish, and examine digital recordings of courtroom proceedings, enterprise conferences, and metropolis council classes.
Cybersecurity agency Rapid7 stated it commenced an investigation earlier this month after discovering a malicious executable referred to as “fffmpeg.exe” (be aware the three Fs) within the Home windows set up folder of the software program, tracing it to a binary named “JAVS Viewer Setup 8.3.7.250-1.exe” that was downloaded from the official JAVS website on March 5, 2024.
“Analysis of the installer JAVS Viewer Setup 8.3.7.250-1.exe showed that it was signed with an unexpected Authenticode signature and contained the binary fffmpeg.exe,” Rapid7 researchers stated, including it “observed encoded PowerShell scripts being executed by the binary fffmpeg.exe.”
Each fffmpeg.exe and the installer have been signed by an Authenticode certificates issued to “Vanguard Tech Limited,” versus “Justice AV Solutions Inc,” the signing entity used to authenticate the legit variations of the software program.
Upon execution, fffmpeg.exe establishes contact with a command-and-control (C&C) server utilizing Home windows sockets and WinHTTP requests in an effort to ship details about the compromised host and await additional directions from the server.
It is also designed to run obfuscated PowerShell scripts that try to bypass Antimalware Scan Interface (AMSI) and disable Occasion Tracing for Home windows (ETW), after which it executes a command to obtain a further payload that masquerades as an installer for Google Chrome (“chrome_installer.exe”) from a distant server.
This binary, in flip, comprises code to drop Python scripts and one other executable named “main.exe” and launch the latter with the purpose of gathering credentials from net browsers. Rapid7’s evaluation of “main.exe” discovered software program bugs that prevented it from operating correctly.
RustDoor, a Rust-based backdoor malware, was first documented by Bitdefender earlier this February as focusing on Apple macOS units by mimicking an replace for Microsoft Visible Studio as a part of possible focused assaults utilizing job providing lures.
Subsequent evaluation by South Korean cybersecurity firm S2W unearthed a Home windows model codenamed GateDoor that is programmed in Golang.
“Both RustDoor and GateDoor have been confirmed to be distributed under the guise of normal program updates or utilities,” S2W researchers Minyeop Choi, Sojun Ryu, Sebin Lee, and HuiSeong Yang famous later that month. “RustDoor and GateDoor have overlapping endpoints used when communicating with the C&C server and have similar functions.”
There’s infrastructure proof to attach the malware household to a ransomware-as-a-service (RaaS) affiliate referred to as ShadowSyndicate. Nonetheless, it has additionally raised the likelihood that they might be appearing as a collaborator specializing in offering infrastructure to different actors.
The usage of a trojanized JAVS Viewer installer to distribute a Home windows model of RustDoor was beforehand additionally flagged by S2W on April 2, 2024, in a submit on X (previously Twitter). It is at present not clear how the seller’s website was breached and a malicious installer turned obtainable for obtain.
JAVS, in an announcement offered to the cybersecurity vendor, stated it recognized a “potential security issue” with JAVS Viewer model 8.3.7, and that it pulled the impacted model from the web site, reset all passwords, and carried out a full audit of its methods.
“No JAVS Source code, certificates, systems, or other software releases were compromised in this incident,” the American firm stated. “The file in question did not originate from JAVS or any third-party associated with JAVS. We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install.”
Customers are suggested to examine for indicators of compromise (IoCs), and if discovered to be contaminated, utterly re-image all affected endpoints, reset credentials, and replace to the newest model of JAVS Viewer.
