A backdoored installer has been discovered in a version of JAVS Viewer, which is audio-visual recording software used for courtrooms. Researchers that discovered the backdoor are urging users of the specific version of the software, 8.3.7, to re-image impacted endpoints, reset credentials and update to the latest version of the software.
JAVS Viewer is part of the JAVS Suite 8 recording software product from Justice AV Solutions, a U.S.-based company that on its website says it has 10,000 installations of its technologies used globally in courtrooms, jury rooms, prison facilities and more. JAVS Viewer specifically opens media and log files created from other parts of the JAVS software suite. Researchers with Rapid7 said that they discovered a malicious Windows installer in JAVS Viewer version 8.3.7, which was available for download on the company’s website.
“Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action,” according to researchers with Rapid7 in a Thursday alert. “This version contains a backdoored installer that allows attackers to gain full control of affected systems.”
On May 10, researchers started investigating an incident that was related to an executed binary (fffmpeg.exe). They traced the binary back to JAVS Viewer Setup 8.3.7.250-1.exe, downloaded from the legitimate Justice AV Solutions website on March 5. Researchers tracked the activity related to the backdoored installer back to February, when the first of two malicious JAVS Viewer packages was signed with a Vanguard certificate (the second was signed in March).
“Both the fffmpeg.exe binary and the installer binary are signed by an Authenticode certificate issued to ‘Vanguard Tech Limited,’” said researchers. “This is unexpected, as it was noted that other JAVS binaries which appear legitimate are signed by a certificate issued to ‘Justice AV Solutions Inc.’”
Researchers found that the fffmpeg.exe binary was associated with GateDoor, Windows malware with loader functionality, and RustDoor, macOS malware with backdoor functionality. Both of these malware families have previously been distributed via fake distribution websites purporting to be legitimate sites. Upon closer inspection of the binary, researchers found that it gives threat actors unauthorized remote access, sending system information about the compromised host to the command-and-control (C2) server after installation and attempting to bypass the Event Tracing for Windows and Anti-Malware Scan Interface features. The malware also downloads payloads with capabilities to scrape browser credentials.
Researchers urged impacted users to completely re-image their potentially impacted endpoints and reset any associated credentials. Users should install the latest version of JAVS Viewer (8.3.8), said researchers. Justice AV Solutions said in a statement that after identifying the compromised file, it pulled all versions of Viewer 8.3.7 from its website, reset all passwords and conducted an internal audit of JAVS systems.
“We confirmed all currently available files on the JAVS.com website are genuine and malware-free,” according to the company in a statement. “We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident… We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install. Any files found signed by other parties should be considered suspect.”
Software supply-chain compromise attacks are particularly insidious because they are deployed using legitimate software that is downloaded by a large array of companies, creating a vast net of targeted organizations. Last year, a major attack was discovered in the 3CX voice and video desktop client, for instance, which was itself caused by another supply chain attack after a 3CX employee installed a compromised Trading Technologies app.