Threat actors compromised a popular audio-visual software package used in courtrooms, prisons, government, and lecture rooms around the world by injecting a loader malware that gives the hackers remote access to infected systems, collecting data about the host computer and downloading more malicious payloads along the way.
The software supply chain attack targeted Justice AV Solutions’ Viewer v8.3.7 software with a Windows version of the RustDoor – called GateDoor – that allows the attackers to assume control of the system the software is running on, according to researchers with cybersecurity firm Rapid7.
JAVS Viewer is part of the vendor’s JAVS Suite 8, that includes a range of tools for everything from recording and searching session to scheduling and logging them. JAVS Viewer gives users access to previous JAVS log and media files and play through recorded sessions. It can be downloaded from the company’s website and shipped as a Windows-based installer package that, once executed, allows for high privileges.
There are more than 10,000 installations of its technologies around the world
According to Rapid7’s research, the first of at least two malicious versions of the JAVS Viewer package is signed with a certificate issued to “Vanguard Tech Limited” February 21, with the second being signed a month later. Rapid7 kicked off its investigation of the compromise May 10 after finding a malicious executable called “fffmpeg.exe” in the Window installation folder. They tracked it back to a binary, “JAVS Viewer Setup 8.3.7.259-1.exe,” which was downloaded from the official JAVS site March 5.
“During the investigation, Rapid7 observed encoded PowerShell scripts being executed by the binary fffmpet.exe,” the researchers wrote in their report. “Based on open-source intelligence, Rapid7 determined that the binary fffmpeg.exe is associated with the GateDoor/Rustdoor family of malware.”
Cybersecurity firm Bitdefender in February wrote about RustDoor, a backdoor written in the Rust programming language and aimed at macOS users. The researchers also found artifacts that indicators of compromise (IoCs) that indicate that the malware may be linked to high-profile ransomware groups Black Basta and BlackCat (also known as ALPHV).
In February, researchers with security company S2W discovered a Windows-based version of RustDoor, which they called GateDoor because it was written in the Golang (Go) programming language rather than Rust. Both are disguised to seem like normal program updates or utilities, with RustDoor using Apple-related keywords like “Mac,” “Apple,” and “iCloud” as the address for their command-and-control (C2) servers. GateDoor use the WebViewHost utility.
“Attackers’ use of Golang and Rust, which support cross-platforms, is increasing, and the possibility of writing code more efficiently by utilizing AI technologies such as ChatGPT and Copilot when developing malware has undoubtedly increased,” they wrote.
In April, a threat intelligence researcher wrote on X (formerly Twitter) about a Windows version of RustDoor that was being hosted on JAVS’ website and with a file that came with a valid certificate.
Rapid7 got involved when responding to an alert with an organization’s environment and traced it back to an installed downloaded from JAVS’s website. Within days, the researchers found three more malicious payloads hosted on the bad actor’s C2 infrastructure and an unlinked installer file that contained the second Viewer package that could still be downloaded from the site, confirming JAVS’ site as the source of the initial infection. There were further indications May 17 that the threat actor was continued to update their C2.
After being executed, the fffmpeg.exe binary persistently communicated with its C2 server via Windows socket and WinHTTP requests, the researchers wrote in a report.
“Once successfully connected, fffmpeg.exe transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2,” they wrote.
In a statement at the end of Rapid7’s report, JAVS executives wrote about identifying the security issue in a previous version of JAVS Viewer, 8.3.7.
“Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file,” they wrote, adding that they pulled all versions of Viewer 8.3.7 from the company website, reset all passwords, and audited all JAVS systems.
In addition, all available files on the site are “genuine and malware-free,” they wrote.
Rapid7 said users should install the latest version of JAVS Viewer – 8.3.8 or higher – but only after re-imaging systems affected by the backdoor.
“Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials,” they wrote.
They said they alerted JAVS to the problem – tracked as CVE-2024-4978 – and worked with CISA to coordinate disclosure.
Recent Articles By Author