Last updated at Thu, 30 May 2024 07:25:19 GMT

*The following Rapid7 team members contributed to this blog: Ipek Solak, Thomas Elkins, Evan McCann, Matthew Smith, Jake McMahon, Tyler McGraw, Ryan Emmons, Stephen Fewer, and John Fenninger*

Overview

Justice AV Solutions (JAVS) is a U.S.-based company specializing in digital audio-visual recording solutions for courtroom environments. According to the vendor’s website, JAVS technologies are used in courtrooms, chambers and jury rooms, jail and prison facilities, and council, hearing, and lecture rooms. Their company website cites over 10,000 installations of their technologies worldwide.

Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action. This version contains a backdoored installer that allows attackers to gain full control of affected systems. Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. Users should install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. These findings were identified through an investigation performed by Rapid7 analysts.

On Friday, May 10, 2024, Rapid7 initiated an investigation into an incident involving the execution of a binary named fffmpeg.exe from within the file path C:\Program Files (x86)\JAVS\Viewer 8\. The investigation traced the infection back to the download of a binary named JAVS Viewer Setup 8.3.7.250-1.exe that was downloaded from the official JAVS site on March 5th. Analysis of the installer JAVS Viewer Setup 8.3.7.250-1.exe showed that it was signed with an unexpected Authenticode signature and contained the binary fffmpeg.exe. During the investigation, Rapid7 observed encoded PowerShell scripts being executed by the binary fffmpeg.exe.

Based on open-source intelligence, Rapid7 determined that the binary fffmpeg.exe is associated with the GateDoor/Rustdoor family of malware discovered by researchers at security firm S2W.

Note: CVE-2024-4978 has been added to the U.S. Cybersecurity and Infrastructure Security's (CISA) Known Exploited Vulnerabilities (KEV) list as of May 29, 2024.

Product Description

JAVS Suite 8 is a portfolio of audio/video recording, viewing, and management software for government organizations and businesses. The affected “JAVS Viewer” software is designed to open media and log files created by other pieces of JAVS Suite software. It is available to download via the vendor's website, and it’s shipped as a Windows-based installer package that prompts for high privileges upon execution.

Credit

This issue was discovered and documented by Ipek Solak, Detection and Response Analyst at Rapid7. Rapid7 is grateful to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for their prompt assistance coordinating disclosure of this issue, and to Justice AV Solutions for their quick response.

A full vendor statement from Justice AV Solutions is available at the end of this blog and includes information about the actions JAVS has taken.

You can find Rapid7’s coordinated disclosure policy here.

Rapid7-Observed Attacker Behavior

The malicious Windows installer JAVS.Viewer8.Setup_8.3.7.250-1.exe contains an unexpected binary file fffmpeg.exe (1.4 MB, SHA1: e41ec15f2bac76914b4a86cade3a0f4619167f52). Note the three f characters in the binary name; the expected ffmpeg.exe binary only has two f characters.

Searching VirusTotal for this binary’s SHA1 reveals that several vendors classify this binary as a malicious dropper:

Screenshot-2024-05-22-at-6.51.46-PM
Figure 1 - The Dropper’s VirusTotal Details

VirusTotal reports this binary was first seen on the VT platform May 3, 2024.

Both the fffmpeg.exe binary and the installer binary are signed by an Authenticode certificate issued to “Vanguard Tech Limited”. This is unexpected, as it was noted that other JAVS binaries which appear legitimate are signed by a certificate issued to “Justice AV Solutions Inc”. Searching VirusTotal for other files signed by “Vanguard Tech Limited” shows the following.

Screenshot-2024-05-22-at-6.53.45-PM
Figure 2- VirusTotal Vanguard Certificate 十大赌博正规信誉网址

The above suggests that there may be one other version of the malicious installer (SHA1: b8e97333fc1b5cd29a71299a8f82a541cabf4d59) and one other malicious fffmpeg.exe (SHA1: b9d13055766d792abaf1d11f18c6ee7618155a0e). These binaries were first seen on the VirusTotal platform April 1, 2024.

The Windows Installer file (b8e97333fc1b5cd29a71299a8f82a541cabf4d59) contains multiple bundled files, including a file called Dll2.dll (SHA1: cd60955033d1da273a3fda61f69d76f6271e7e4c). The file contains a string called “HelloWorld” and from the execution path perspective, this looks like a test. From an OPSEC point of view, the file was not ‘cleaned’ but contains the compilation information, in this case the full PDB path: C:\Users\User\source\repos\Dll2\x64\Debug\Dll2.pdb

Exploitation Timeline

  • Feb 10, 2024: A certificate is issued for the subject Vanguard Tech Limited, which the certificate indicates is based in London.
  • Feb 21, 2024: The first of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
  • April 2, 2024: The Twitter user @2RunJack2 tweets about malware being served by the official JAVS downloads page. It’s not stated whether the vendor was notified.
  • Mar 12, 2024: The second of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
  • May 10, 2024: Rapid7 investigates a new alert in a Managed Detection and Response customer environment. The source of the infection is traced back to an installer that was downloaded from the official JAVS site. The malware file that was downloaded by the victim, the first Viewer package, is not observed to be accessible on the vendor’s download page. It’s unknown who removed the malicious package from the downloads page (i.e., the vendor or the threat actor).
  • May 12, 2024: Rapid7 discovers three additional malicious payloads being hosted on the threat actor’s C2 infrastructure over port 8000: chrome_installer.exe, firefox_updater.exe, and OneDriveStandaloneUpdater.exe.
  • May 13, 2024: Rapid7 identifies an unlinked installer file containing malware, the second Viewer package, still being served by the official vendor site. This confirms that the vendor site was the source of the initial infection.
  • May 17, 2024: Rapid7 discovers that the threat actor removed the binary OneDriveStandaloneUpdater.exe from C2 infrastructure and replaced it with a new binary, ChromeDiscovery.exe. This indicates that the threat actor is actively updating their C2 infrastructure.

Impact

During Rapid7’s initial examination of the binary fffmpeg.exe, it became evident that the program facilitates unauthorized remote access. Upon execution, fffmpeg.exe persistently communicates with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, fffmpeg.exe transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.

Screenshot-2024-05-22-at-6.54.35-PM
Figure 3 - Sample Network Traffic Containing Information About the Host

Subsequently, a persistent connection is established, with the binary poised to receive commands from the C2.

While investigating an incident regarding the binary fffmpeg.exe, Rapid7 observed the execution of two obfuscated PowerShell scripts.

Screenshot-2024-05-22-at-6.55.31-PM
Figure 4 - Encoded PowerShell Script Spawned by fffmpeg.exe

Rapid7 deobfuscated the PowerShell scripts executed by fffmpeg.exe and determined the script will attempt to bypass the Anti-Malware Scan Interface (AMSI) and disable Event Tracing for Windows (ETW) for the launched PowerShell session, before executing a command to download an additional payload.

Screenshot-2024-05-22-at-6.56.09-PM
Figure 5 - De-obfuscated PowerShell Script Spawned by fffmpeg.exe

During analysis of chrome_installer.exe, Rapid7 observed that the binary contained code to drop Python scripts and a binary named main.exe within the Temp folder, passing the string {TEMP}\\onefile_{PID}_{TIME} as an argument to a function whose responsibility was to build out the file path.

Screenshot-2024-05-22-at-6.57.06-PM
Figure 6 - Temp Folder Creation Using String {TEMP}\onefile_{PID}_{TIME}

Once the new software was dropped, chrome_installer.exe was responsible for executing the binary main.exe using the function CreateProcessW. After analysis of main.exe, Rapid7 observed that it contained compiled Python code within the resource section whose purpose was to scrape browsers’ credentials. We also observed that main.exe was compiled using Nuitka, a Python program designed to compile Python scripts into standalone executables. During the investigation, Rapid7 observed that main.exe did not execute properly, indicating an issue in the original source code.

Screenshot-2024-05-22-at-6.58.12-PM
Figure 7 - Code References to Nuitka

IOCs

IOC Description SHA256
JAVS.Viewer8.Setup_8.3.7.250-1.exe JAVS Viewer 8.3.7 installer downloaded from the domain javs[.]com

Shown as having a valid signature:
Subject: Vanguard Tech Limited
A5E24C10D595969858AF422C6DFF6BED5F9C6C49DC9622D694327323D8A57D72
fffmpeg.exe Reaches out to hxxps://45.120.177[.]178/gateway/register and hxxps://45.120.177.178/gateway/report

Shown as having a valid signature:
Subject: Vanguard Tech Limited
A5E24C10D595969858AF422C6DFF6BED5F9C6C49DC9622D694327323D8A57D72
Chrome_installer.exe Potential second stage infostealer; however, did not execute properly due to 64-bit and 32-bit compatibility issues. F8A734D5E7A7B99B29182DDDF804D5DAA9D876BF39CE7A04721794367A73DA51
Main.exe Executed as a part of chrome_installer.exe, contains Python compiled code within the resource section. Seems to scrape users’ browser credentials 4150452D8041A6EC73C447CBE3B1422203FFFDFBF5C845DBAC1BED74B33A5E09
45.120.177[.]178 Attacker C2 using ISP Stark Industries Solutions Ltd
hxxps://www[.]javs[.]com/download/45819/ Official JAVS website URL that Rapid7 observed hosting malware
hxxps://45.120.177[.]178/gateway/register Path used by fffmpeg.exe to contact C2
hxxps://45.120.177[.]178/gateway/report Path used by fffmpeg.exe to contact C2
Vanguard Tech Limited Certificate Issued by SSL.com:

PKCS#7 signature from a certificate for 'Vanguard Tech Limited' issued by 'SSL.com Code Signing Intermediate CA RSA R1'
Dll2.dll A “Hello World” test library bundled with the malicious installer 2183c102c107d11ae8aa1e9c0f2af3dc8fa462d0683a033d62a982364a0100d0
firefox_updater.exe Found hosted on C2 over port 8000. Contains StealC InfoStealer 4F0CA76987EDFE00022C8B9C48AD239229EA88532E2B7A7CD6811AE353CD1EDA
ChromeDiscovery.exe Found hosted on C2 over port 8000. Binary is packed with a Go binary, similar to the fffmpeg.exe backdoor. Communicates to the same C2 identified from fffmpeg.exe.

Shown as having a valid signature:
Subject: Vanguard Tech Limited
D8DEF4437BD76279EC6351B65156D670EC0FED24D904E6648DE536FED1061671
OneDriveStandaloneUpdater.exe Found hosted on C2 over port 8000. Binary is packed with a Go binary, similar to the fffmpeg.exe backdoor. Communicates to the same C2 identified from fffmpeg.exe.

Note: This binary was later removed from the C2 and replaced with ChromeDiscovery.exe
C65EE0F73F53B287654B6446FFE7264E0D93B24302E7F0036F5E7DB3748749B9

Identified by Open Source Intelligence (OSINT)

IOC Description SHA256
JAVS.Viewer8.Setup_8.3.7.250-1.exe Found by searching C2 IP via OSINT.
http://www.virustotal.com/gui/file/fe408e2df48237b11cb724fa51b6d5e9c74c8f5d5b2955c22962095c7ed70b2c

Shown as having a valid signature:
Subject: Vanguard Tech Limited
FE408E2DF48237B11CB724FA51B6D5E9C74C8F5D5B2955C22962095C7ED70B2C
fffmpeg.exe Reaches out to hxxps://45.120.177[.]178/gateway/register and hxxps://45.120.177.178/gateway/report

Shown as having a valid signature:
Subject: Vanguard Tech Limited
AACE6F617EF7E2E877F3BA8FC8D82DA9D9424507359BB7DCF6B81C889A755535

Remediation

Users who have version 8.3.7 of the JAVS Viewer executable installed are at high risk and should take immediate action. This version contains a backdoored installer that allows attackers to gain full control of affected systems.

To remediate this issue, affected users should:

  • Reimage any endpoints where JAVS Viewer 8.3.7 was installed. Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate.
  • Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems.
  • Reset credentials used in web browsers on affected endpoints. Browser sessions may have been hijacked to steal cookies, stored passwords, or other sensitive information.
  • Install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. The new version does not contain the backdoor present in 8.3.7.

Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise.

Rapid7 Customers

InsightIDR, Managed Detection and Response, and Managed Threat Complete customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this activity:

  • Suspicious Process - Execution From Root of ProgramData
  • Attacker Technique - PowerShell Registry Cradle
  • PowerShell - Obfuscated Script
  • Attacker Technique - PowerShell Download Cradles
  • Attacker Technique - PowerShell Backtick Obfuscation
  • Backdoor - Potential JAVS Backdoor

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-4978 with a vulnerability check expected to be available in today’s (Thursday, May 23) content release.

Vendor Statement

Justice AV Solutions provided the following statement to Rapid7 on Wednesday, May 22, 2024. According to JAVS:

“Justice AV Solutions (JAVS) is committed to providing our clients with secure and reliable software solutions. We recently identified a potential security issue with a previous version of our JAVS Viewer software (Version 8.3.7).

Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file. We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems. We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.

The file in question did not originate from JAVS or any 3rd party associated with JAVS. We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install. Any files found signed by other parties should be considered suspect. We are revisiting our release process to strengthen file certification. We strongly suggest that customers keep updated with all software releases and security patches and use robust security measures, such as firewalls and malware protection.

JAVS service technicians typically install the Viewer software in question. We have all members of our service team validating installations of Viewer software on any potentially affected systems, specifically checking for the presence of the malicious file in question - fffmpeg.exe with three “f’s.” Note, the JAVS file ffmpeg.exe with two “f’s” is a legitimate file.

What You Should Do:
Manually check for file fffmeg.exe: If the malicious file is found or detected, we recommend a full re-image of the PC and a reset of any credentials used by the user on that computer. If Viewer 8.3.7.250 is the version currently installed, but no malicious files are found, we advise uninstalling the Viewer software and performing a full Anti-Virus/malware scan. Please reset any passwords used on the affected system before upgrading to a newer version of Viewer 8.

Upgrade Your JAVS Viewer: We strongly recommend that all users of JAVS Viewer software upgrade to the latest version (Version 8.3.9 or higher). Upgrading is simple and can be completed by following the instructions included in the software update notification or by visiting our website at http://www.javs.com/downloads/

We appreciate your understanding and cooperation in maintaining a secure environment for all our users. If you have any questions or concerns, please do not hesitate to contact our support team at 1-877-JAVSHLP (877-528-7457).

Sincerely,
The Justice AV Solutions Security Team”

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.