Compromised courtroom recording software was served from vendor’s official site

Courtroom recording software JAVS Viewer has been saddled with loader malware and has been served from the developer’s site since at least April 2, a threat researcher has warned last month.

After analyzing a flagged installer detected in a customer’s environment, Rapid7 threat analysts have come to a similar conclusion.

The malware hiding in the JAVS Viewer installer

According to Rapid7, the installer carries a loader associated with the GateDoor/Rustdoor family of malware, which facilitates unauthorized remote access, collects data about the host computer, and downloads additional malicious payloads when instructed to.

The malicious installer – JAVS Viewer Setup 8.3.7.250-1.exe, signed by an Authenticode certificate issued to “Vanguard Tech Limited”, and downloaded from the official JAVS site on March 5th – contains and executes a binary named fffmpeg.exe.

That binary executes PowerShell scripts and downloads additional malware that steals sensitive information (e.g., credentials stored in browsers).

“Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action,” the analysts say.

“Completely re-imaging affected endpoints and resetting associated [account] credentials [and browser sessions] is critical to ensure attackers have not persisted through backdoors or stolen credentials. Users should install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems.”

Two compromised installers found

JAVS Viewer opens media and log files created by other pieces of the JAVS software suite, which is specialized software for audio-visual recording in courtroom environments, prison facilities, council and lecture rooms.

The analysts have found two malicious JAVS Viewer packages / compromised installers signed with the Vanguard certificate. The first one was traced back to a download from the official JAVS site, but was not present when the analysts searched for it.

“It’s unknown who removed the malicious package from the downloads page (i.e., the vendor or the threat actor),” they said.

The second one they found a few days later was unlinked, but on the official vendor site.

Rapid7 researchers also found additional malicious payloads hosted on the threat actor’s C2 infrastructure, one of which was subsequently downloaded on their affected customer’s system.

JAVS reacts

After Rapid7 reported their findings to Justice AV Solutions, the company investigated and said that they identified “a potential security issue” with a version 8.3.7 of their JAVS Viewer software and that they “identified attempts to replace” their Viewer 8.3.7 software with a compromised file.

“We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems. We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident,” the company said.

“The file in question did not originate from JAVS or any 3rd party associated with JAVS. We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install. Any files found signed by other parties should be considered suspect. We are revisiting our release process to strengthen file certification.”

They also advised users to manually check for the presence of the fffmpeg.exe malicious file and, if they find it, to re-image the PC and reset credentials.

“If Viewer 8.3.7.250 is the version currently installed, but no malicious files are found, we advise uninstalling the Viewer software and performing a full Anti-Virus/malware scan. Please reset any passwords used on the affected system before upgrading to a newer version of Viewer 8,” they added.

UPDATE (May 23, 2024, 06:15 p.m. ET):

This article has been amended to make it clear that despite some ambiguous wording in JAVS’s statement to Rapid7, a backdoored installer was present on JAVS’s website.

Also, that JAVS worked with Rapid7 and CISA throughout the process and that this was a fully coordinated disclosure.