Recording software used in courtroom environments has been found to contain a backdoored installer that allows attackers to gain full control of user systems, Rapid7 researchers have warned.
The issue affects customers who have installed Justice AV Solutions (JAVS) Viewer v8.3.7, which is a portfolio of audio/video recording, viewing, and management software for government organizations and businesses.
JAVS is known to be heavily used in courtrooms, chambers and jury rooms in the US, as well as jail and prison facilities.
Rapid7 made the discovery after investigating an alert in a managed detection and response customer environment, involving the execution of a binary named fffmpeg.exe.
The infection was traced back to the download of a binary named ‘JAVS Viewer Setup 8.3.7.250-1.exe,’ which was downloaded from the official JAVS site on March 5, 2024.
The fffmpeg.exe binary has been determined to be associated with the GateDoor/Rustdoor family of malware.
The researchers subsequently discovered three additional malicious payloads being hosted on the threat actor’s C2 infrastructure over port 8000.
The attackers also appear to be actively updating their command and control (C2) infrastructure, for example replacing one of the additional binary’s with a new one.
How JAVS Customers Are Impacted
During their investigation of the customer incident, the researchers found the issue allows attackers to gain full control of affected systems – stealing credentials and implanting additional backdoors or malware.
Rapid7 said the fffmpeg.exe program facilitates unauthorized remote access. Upon execution, it persistently communicates with a C2 server using Windows sockets and WinHTTP requests.
Once connected, the binary transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the username to the C2.
Persistent connection is then established, enabling the binary to receive commands from the C2.
The researchers observed two obfuscated PowerShell scripts executed by fffmpeg.exe. After deobfuscating these scripts, it was determined that they will attempt to bypass anti-malware tools before executing a command to download an additional payload.
This payload, main.exe, was designed to scrape browsers’ credentials.
How to Address the Security Risk
Rapid7 warned that any users of v8.3.7 of the JAVS Viewer executable installed are at high risk and should take immediate action.
New versions of JAVS Viewer (8.3.8 or higher) do not contain the backdoor. However, simply uninstalling the software is insufficient, as attackers may have established persistence through additional backdoors or malware, and stolen credentials from compromised systems.
Therefore, users are advised to reimage any endpoints where JAVS Viewer 8.3.7 was installed. This involves:
- Resetting credentials for any accounts that were logged into affected endpoints, including local accounts on the endpoint itself and any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed
- Resetting credentials used in web browsers on affected endpoints
Rapid7 added that users should manually check for file ffmeg.exe. If this malicious file is detected, they should undertake a full reimage of the PC and a reset of any credentials used by the user on that computer.
After completing the reimaging process, users should instal a new version of the software.
In a statement addressing the issue, JAVS said that it had pulled all versions of Viewer 8.3.7 from its website, reset all passwords, and conducted a full internal audit of all JAVS systems.
It added that all currently available files on the JAVS.com website are genuine and malware-free.
The firm said: “We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install. Any files found signed by other parties should be considered suspect. We are revisiting our release process to strengthen file certification. We strongly suggest that customers keep updated with all software releases and security patches and use robust security measures, such as firewalls and malware protection.”