Analysis Summary

Threat actors have introduced malware into the installer of the popular Justice AV Solutions (JAVS) courtroom video recording software, creating a backdoor that allows them to take control of infected systems.

The digital recording technology, commonly referred to as JAVS, is presently installed in over 10,000 courtrooms, law offices, penal facilities, and other entities globally, according to the company that created it. Since then, JAVS has taken down the compromised version from its official website, claiming that neither JAVS nor any of its affiliated third parties were the source of the trojanized program that contained a malicious fffmpeg.exe file.

To make sure that, in the unlikely event that they were stolen, the organization reset all passwords and performed a thorough examination of all systems. The company discovered attempts to swap out their Viewer 8.3.7 software with a compromised file through continuous monitoring and cooperation with cybersecurity authorities. They also verified that every file that is currently accessible on the JAVS.com website is authentic and virus-free. They confirmed that this issue did not compromise any systems, JAVS Source code, certificates, or other software releases.

After looking into this supply chain event (tracked as CVE-2024-4978), the researchers discovered that the trojanized JAVS installer was originally discovered in early April and was connected to the Rustdoor/GateDoor malware. After the malware is installed and run, it sends system information to its command-and-control (C2) server, which was found during the analysis of an incident connected to CVE-2024-4978 on May 10.

Then, it runs two PowerShell scripts that have been obfuscated in an attempt to deactivate Event Tracing for Windows (ETW) and get around the Anti-Malware Scan Interface (AMSI). Subsequently, a second malicious payload that was received from its C2 server releases Python scripts that begin gathering login credentials that are saved in the system's web browsers.

Researchers say that the backdoored installer (JAVS.Viewer8.Setup_8.3.7.250-1.exe), which is categorized as a malware dropper by numerous security vendors, was obtained from the official JAVS website. Customers of JAVS were cautioned by the cybersecurity firm on Thursday to reimage all endpoints where the trojanized installer was installed.

After reimaging the systems, they should also upgrade the JAVS Viewer software to version 8.3.9 or above (the most recent secure version) and reset all credentials used to connect to potentially affected endpoints to guarantee that the attackers' access is cut off. It is not enough to just uninstall the software because there could be more viruses or backdoors installed by the attackers. Reimaging offers a fresh start. It's imperative to fully reimage impacted endpoints and reset related credentials to make sure attackers haven't continued using backdoors or credentials they obtained.

The manufacturer of video conferencing software, 3CX, said in March of last year that a North Korean threat group identified as UNC4736 had trojanized its desktop client, 3CXDesktopApp Electron, in a similar attack to disseminate malware. The threat actors employed a malicious version of a ffmpeg DLL in that attack. Four years ago, after downloading builds of the SolarWinds Orion IT administration platform between March 2020 and June 2020, the Russian threat actor APT29 managed to get into SolarWinds' internal networks and compromise the systems of several U.S. federal agencies.

Impact

• Unauthorized Access
• Credential Theft
• Sensitive Information Theft

Indicators of Compromise

MD5

• 5720c4b272dfe4983498c535f268dc3b
• fee6830fb94f73bc30ac188bff601716
• 4cf5222fe52b9140b111ed7b79790157
• 4038a50422f957bc24b6a5bb8374e1d0
• b296fbbed7e8cd22851ac572ff4f1cc1
• 705c66c62ca7d398dac747154c2dc3fc

SHA-256

• f8a734d5e7a7b99b29182dddf804d5daa9d876bf39ce7a04721794367a73da51
• 4150452d8041a6ec73c447cbe3b1422203fffdfbf5c845dbac1bed74b33a5e09
• 2183c102c107d11ae8aa1e9c0f2af3dc8fa462d0683a033d62a982364a0100d0
• 4f0ca76987edfe00022c8b9c48ad239229ea88532e2b7a7cd6811ae353cd1eda
• fe408e2df48237b11cb724fa51b6d5e9c74c8f5d5b2955c22962095c7ed70b2c
• aace6f617ef7e2e877f3ba8fc8d82da9d9424507359bb7dcf6b81c889a755535

SHA1

• 1746f95e185e9ce12d0cf773eb2363580594d832
• fc0d2d4a5ee817282c763f53b699be96735c2fdf
• cd60955033d1da273a3fda61f69d76f6271e7e4c
• eca9116cf3ce457d3f42f8811785b7243effa26c
• b8e97333fc1b5cd29a71299a8f82a541cabf4d59
• b9d13055766d792abaf1d11f18c6ee7618155a0e

URL

• https://45.120.177.178/gateway/register
• https://45.120.177.178/gateway/report

Remediation

• Refer to the JAVS Website for patch, upgrade, or suggested workaround information.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Download apps only from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party websites or unofficial sources.
• Review the permissions requested by apps before installing them. Be cautious of apps that request unnecessary permissions or access to sensitive data.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Keep your operating system and apps up-to-date with the latest security patches and updates
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Be cautious of unsolicited messages, emails, or links, especially from unknown or suspicious sources. Avoid clicking on suspicious links or downloading attachments from untrusted sources.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.