8.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
0.028 Low
EPSS
Percentile
90.7%
The following Rapid7 team members contributed to this blog: Ipek Solak, Thomas Elkins, Evan McCann, Matthew Smith, Jake McMahon, Tyler McGraw, Ryan Emmons, Stephen Fewer, and John Fenninger
Justice AV Solutions (JAVS) is a U.S.-based company specializing in digital audio-visual recording solutions for courtroom environments. According to the vendorâs website, JAVS technologies are used in courtrooms, chambers and jury rooms, jail and prison facilities, and council, hearing, and lecture rooms. Their company website cites over 10,000 installations of their technologies worldwide.
Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action. This version contains a backdoored installer that allows attackers to gain full control of affected systems. Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. Users should install the latest version of JAVS Viewer (8.3.8 or higher)after re-imaging affected systems. These findings were identified through an investigation performed by Rapid7 analysts.
On Friday, May 10, 2024, Rapid7 initiated an investigation into an incident involving the execution of a binary named fffmpeg.exe
from within the file path C:\Program Files (x86)\JAVS\Viewer 8\
. The investigation traced the infection back to the download of a binary named JAVS Viewer Setup 8.3.7.250-1.exe
that was downloaded from the official JAVS site on March 5th. Analysis of the installer JAVS Viewer Setup 8.3.7.250-1.exe
showed that it was signed with an unexpected Authenticode signature and contained the binary fffmpeg.exe
. During the investigation, Rapid7 observed encoded PowerShell scripts being executed by the binary fffmpeg.exe
.
Based on open-source intelligence, Rapid7 determined that the binary fffmpeg.exe
is associated with the GateDoor/Rustdoor family of malware discovered by researchers at security firm S2W.
Note: CVE-2024-4978 has been added to the U.S. Cybersecurity and Infrastructure Securityâs (CISA) Known Exploited Vulnerabilities (KEV) list as of May 29, 2024.
JAVS Suite 8 is a portfolio of audio/video recording, viewing, and management software for government organizations and businesses. The affected âJAVS Viewerâ software is designed to open media and log files created by other pieces of JAVS Suite software. It is available to download via the vendorâs website, and itâs shipped as a Windows-based installer package that prompts for high privileges upon execution.
This issue was discovered and documented by Ipek Solak, Detection and Response Analyst at Rapid7. Rapid7 is grateful to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for their prompt assistance coordinating disclosure of this issue, and to Justice AV Solutions for their quick response.
A full vendor statement from Justice AV Solutions is available at the end of this blog and includes information about the actions JAVS has taken.
You can find Rapid7âs coordinated disclosure policy here.
The malicious Windows installer JAVS.Viewer8.Setup_8.3.7.250-1.exe
contains an unexpected binary file fffmpeg.exe
(1.4 MB, SHA1: e41ec15f2bac76914b4a86cade3a0f4619167f52). Note the three f characters in the binary name; the expected ffmpeg.exe
binary only has two f characters.
Searching VirusTotal for this binaryâs SHA1 reveals that several vendors classify this binary as a malicious dropper:
Figure 1 - The Dropperâs VirusTotal Details
VirusTotal reports this binary was first seen on the VT platform May 3, 2024.
Both the fffmpeg.exe
binary and the installer binary are signed by an Authenticode certificate issued to âVanguard Tech Limitedâ. This is unexpected, as it was noted that other JAVS binaries which appear legitimate are signed by a certificate issued to âJustice AV Solutions Incâ. Searching VirusTotal for other files signed by âVanguard Tech Limitedâ shows the following.
Figure 2- VirusTotal Vanguard Certificate Results
The above suggests that there may be one other version of the malicious installer (SHA1: b8e97333fc1b5cd29a71299a8f82a541cabf4d59) and one other malicious fffmpeg.exe
(SHA1: b9d13055766d792abaf1d11f18c6ee7618155a0e). These binaries were first seen on the VirusTotal platform April 1, 2024.
The Windows Installer file (b8e97333fc1b5cd29a71299a8f82a541cabf4d59) contains multiple bundled files, including a file called Dll2.dll
(SHA1: cd60955033d1da273a3fda61f69d76f6271e7e4c). The file contains a string called âHelloWorldâ and from the execution path perspective, this looks like a test. From an OPSEC point of view, the file was not âcleanedâ but contains the compilation information, in this case the full PDB path: C:\Users\User\source\repos\Dll2\x64\Debug\Dll2.pdb
chrome_installer.exe
, firefox_updater.exe
, and OneDriveStandaloneUpdater.exe
.OneDriveStandaloneUpdater.exe
from C2 infrastructure and replaced it with a new binary, ChromeDiscovery.exe
. This indicates that the threat actor is actively updating their C2 infrastructure.During Rapid7âs initial examination of the binary fffmpeg.exe
, it became evident that the program facilitates unauthorized remote access. Upon execution, fffmpeg.exe
persistently communicates with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, fffmpeg.exe
transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.
Figure 3 - Sample Network Traffic Containing Information About the Host
Subsequently, a persistent connection is established, with the binary poised to receive commands from the C2.
While investigating an incident regarding the binary fffmpeg.exe
, Rapid7 observed the execution of two obfuscated PowerShell scripts.
Figure 4 - Encoded PowerShell Script Spawned by fffmpeg.exe
Rapid7 deobfuscated the PowerShell scripts executed by fffmpeg.exe
and determined the script will attempt to bypass the Anti-Malware Scan Interface (AMSI) and disable Event Tracing for Windows (ETW) for the launched PowerShell session, before executing a command to download an additional payload.
Figure 5 - De-obfuscated PowerShell Script Spawned by fffmpeg.exe
During analysis of chrome_installer.exe
, Rapid7 observed that the binary contained code to drop Python scripts and a binary named main.exe
within the Temp folder, passing the string {TEMP}\\onefile_{PID}_{TIME}
as an argument to a function whose responsibility was to build out the file path.
Figure 6 - Temp Folder Creation Using String {TEMP}\onefile_{PID}_{TIME}
Once the new software was dropped, chrome_installer.exe
was responsible for executing the binary main.exe
using the function CreateProcessW
. After analysis of main.exe
, Rapid7 observed that it contained compiled Python code within the resource section whose purpose was to scrape browsersâ credentials. We also observed that main.exe
was compiled using Nuitka, a Python program designed to compile Python scripts into standalone executables. During the investigation, Rapid7 observed that main.exe
did not execute properly, indicating an issue in the original source code.
Figure 7 - Code References to Nuitka
IOC | Description | SHA256 |
---|---|---|
JAVS.Viewer8.Setup_8.3.7.250-1.exe | JAVS Viewer 8.3.7 installer downloaded from the domain javs[.]com |
Shown as having a valid signature:
Subject: Vanguard Tech Limited | A5E24C10D595969858AF422C6DFF6BED5F9C6C49DC9622D694327323D8A57D72
fffmpeg.exe
| Reaches out to hxxps://45.120.177[.]178/gateway/register and hxxps://45.120.177.178/gateway/report
Shown as having a valid signature:
Subject: Vanguard Tech Limited | A5E24C10D595969858AF422C6DFF6BED5F9C6C49DC9622D694327323D8A57D72
Chrome_installer.exe | Potential second stage infostealer; however, did not execute properly due to 64-bit and 32-bit compatibility issues. | F8A734D5E7A7B99B29182DDDF804D5DAA9D876BF39CE7A04721794367A73DA51
Main.exe | Executed as a part of chrome_installer.exe
, contains Python compiled code within the resource section. Seems to scrape usersâ browser credentials | 4150452D8041A6EC73C447CBE3B1422203FFFDFBF5C845DBAC1BED74B33A5E09
45.120.177[.]178 | Attacker C2 using ISP Stark Industries Solutions Ltd |
hxxps://www[.]javs[.]com/download/45819/ | Official JAVS website URL that Rapid7 observed hosting malware |
hxxps://45.120.177[.]178/gateway/register | Path used by fffmpeg.exe
to contact C2 |
hxxps://45.120.177[.]178/gateway/report | Path used by fffmpeg.exe
to contact C2 |
Vanguard Tech Limited Certificate | Issued by SSL.com:
PKCS#7 signature from a certificate for âVanguard Tech Limitedâ issued by âSSL.com Code Signing Intermediate CA RSA R1â |
Dll2.dll | A âHello Worldâ test library bundled with the malicious installer | 2183c102c107d11ae8aa1e9c0f2af3dc8fa462d0683a033d62a982364a0100d0
firefox_updater.exe | Found hosted on C2 over port 8000. Contains StealC InfoStealer | 4F0CA76987EDFE00022C8B9C48AD239229EA88532E2B7A7CD6811AE353CD1EDA
ChromeDiscovery.exe | Found hosted on C2 over port 8000. Binary is packed with a Go binary, similar to the fffmpeg.exe
backdoor. Communicates to the same C2 identified from fffmpeg.exe
.
Shown as having a valid signature:
Subject: Vanguard Tech Limited | D8DEF4437BD76279EC6351B65156D670EC0FED24D904E6648DE536FED1061671
OneDriveStandaloneUpdater.exe | Found hosted on C2 over port 8000. Binary is packed with a Go binary, similar to the fffmpeg.exe
backdoor. Communicates to the same C2 identified from fffmpeg.exe
.
Note: This binary was later removed from the C2 and replaced with ChromeDiscovery.exe | C65EE0F73F53B287654B6446FFE7264E0D93B24302E7F0036F5E7DB3748749B9
IOC | Description | SHA256 |
---|---|---|
JAVS.Viewer8.Setup_8.3.7.250-1.exe | Found by searching C2 IP via OSINT. | |
<https://www.virustotal.com/gui/file/fe408e2df48237b11cb724fa51b6d5e9c74c8f5d5b2955c22962095c7ed70b2c> |
Shown as having a valid signature:
Subject: Vanguard Tech Limited | FE408E2DF48237B11CB724FA51B6D5E9C74C8F5D5B2955C22962095C7ED70B2C
fffmpeg.exe | Reaches out to hxxps://45.120.177[.]178/gateway/register and hxxps://45.120.177.178/gateway/report
Shown as having a valid signature:
Subject: Vanguard Tech Limited | AACE6F617EF7E2E877F3BA8FC8D82DA9D9424507359BB7DCF6B81C889A755535
Users who have version 8.3.7 of the JAVS Viewer executable installed are at high risk and should take immediate action. This version contains a backdoored installer that allows attackers to gain full control of affected systems.
To remediate this issue, affected users should:
Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise.
InsightIDR, Managed Detection and Response, and Managed Threat Complete customers have existing detection coverage through Rapid7âs expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this activity:
InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-4978 with a vulnerability check expected to be available in todayâs (Thursday, May 23) content release.
Justice AV Solutions provided the following statement to Rapid7 on Wednesday, May 22, 2024. According to JAVS:
âJustice AV Solutions (JAVS) is committed to providing our clients with secure and reliable software solutions. We recently identified a potential security issue with a previous version of our JAVS Viewer software (Version 8.3.7).
Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file. We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems. We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.
The file in question did not originate from JAVS or any 3rd party associated with JAVS. We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install. Any files found signed by other parties should be considered suspect. We are revisiting our release process to strengthen file certification. We strongly suggest that customers keep updated with all software releases and security patches and use robust security measures, such as firewalls and malware protection.
JAVS service technicians typically install the Viewer software in question. We have all members of our service team validating installations of Viewer software on any potentially affected systems, specifically checking for the presence of the malicious file in question - fffmpeg.exe with three âfâs.â Note, the JAVS file ffmpeg.exe with two âfâsâ is a legitimate file.
What You Should Do:
Manually check for file fffmeg.exe
: If the malicious file is found or detected, we recommend a full re-image of the PC and a reset of any credentials used by the user on that computer. If Viewer 8.3.7.250 is the version currently installed, but no malicious files are found, we advise uninstalling the Viewer software and performing a full Anti-Virus/malware scan. Please reset any passwords used on the affected system before upgrading to a newer version of Viewer 8.
Upgrade Your JAVS Viewer: We strongly recommend that all users of JAVS Viewer software upgrade to the latest version (Version 8.3.9 or higher). Upgrading is simple and can be completed by following the instructions included in the software update notification or by visiting our website at <https://www.javs.com/downloads/>
We appreciate your understanding and cooperation in maintaining a secure environment for all our users. If you have any questions or concerns, please do not hesitate to contact our support team at 1-877-JAVSHLP (877-528-7457).
Sincerely,
The Justice AV Solutions Security Teamâ
Be the first to learn about the latest vulnerabilities and cybersecurity news.
Subscribe Now
8.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
0.028 Low
EPSS
Percentile
90.7%