Last updated at Thu, 30 May 2024 07:25:19 GMT
*The following Rapid7 team members contributed to this blog: Ipek Solak, Thomas Elkins, Evan McCann, Matthew Smith, Jake McMahon, Tyler McGraw, Ryan Emmons, Stephen Fewer, and John Fenninger*
Overview
Justice AV Solutions (JAVS) is a U.S.-based company specializing in digital audio-visual recording solutions for courtroom environments. According to the vendor’s website, JAVS technologies are used in courtrooms, chambers and jury rooms, jail and prison facilities, and council, hearing, and lecture rooms. Their company website cites over 10,000 installations of their technologies worldwide.
Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action. This version contains a backdoored installer that allows attackers to gain full control of affected systems. Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. Users should install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. These findings were identified through an investigation performed by Rapid7 analysts.
On Friday, May 10, 2024, Rapid7 initiated an investigation into an incident involving the execution of a binary named fffmpeg.exe
from within the file path C:\Program Files (x86)\JAVS\Viewer 8\
. The investigation traced the infection back to the download of a binary named JAVS Viewer Setup 8.3.7.250-1.exe
that was downloaded from the official JAVS site on March 5th. Analysis of the installer JAVS Viewer Setup 8.3.7.250-1.exe
showed that it was signed with an unexpected Authenticode signature and contained the binary fffmpeg.exe
. During the investigation, Rapid7 observed encoded PowerShell scripts being executed by the binary fffmpeg.exe
.
Based on open-source intelligence, Rapid7 determined that the binary fffmpeg.exe
is associated with the GateDoor/Rustdoor family of malware discovered by researchers at security firm S2W.
Note: CVE-2024-4978 has been added to the U.S. Cybersecurity and Infrastructure Security's (CISA) Known Exploited Vulnerabilities (KEV) list as of May 29, 2024.
Product Description
JAVS Suite 8 is a portfolio of audio/video recording, viewing, and management software for government organizations and businesses. The affected “JAVS Viewer” software is designed to open media and log files created by other pieces of JAVS Suite software. It is available to download via the vendor's website, and it’s shipped as a Windows-based installer package that prompts for high privileges upon execution.
Credit
This issue was discovered and documented by Ipek Solak, Detection and Response Analyst at Rapid7. Rapid7 is grateful to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for their prompt assistance coordinating disclosure of this issue, and to Justice AV Solutions for their quick response.
A full vendor statement from Justice AV Solutions is available at the end of this blog and includes information about the actions JAVS has taken.
You can find Rapid7’s coordinated disclosure policy here.
Rapid7-Observed Attacker Behavior
The malicious Windows installer JAVS.Viewer8.Setup_8.3.7.250-1.exe
contains an unexpected binary file fffmpeg.exe
(1.4 MB, SHA1: e41ec15f2bac76914b4a86cade3a0f4619167f52). Note the three f characters in the binary name; the expected ffmpeg.exe
binary only has two f characters.
Searching VirusTotal for this binary’s SHA1 reveals that several vendors classify this binary as a malicious dropper:
Figure 1 - The Dropper’s VirusTotal Details
VirusTotal reports this binary was first seen on the VT platform May 3, 2024.
Both the fffmpeg.exe
binary and the installer binary are signed by an Authenticode certificate issued to “Vanguard Tech Limited”. This is unexpected, as it was noted that other JAVS binaries which appear legitimate are signed by a certificate issued to “Justice AV Solutions Inc”. Searching VirusTotal for other files signed by “Vanguard Tech Limited” shows the following.
Figure 2- VirusTotal Vanguard Certificate Results
The above suggests that there may be one other version of the malicious installer (SHA1: b8e97333fc1b5cd29a71299a8f82a541cabf4d59) and one other malicious fffmpeg.exe
(SHA1: b9d13055766d792abaf1d11f18c6ee7618155a0e). These binaries were first seen on the VirusTotal platform April 1, 2024.
The Windows Installer file (b8e97333fc1b5cd29a71299a8f82a541cabf4d59) contains multiple bundled files, including a file called Dll2.dll
(SHA1: cd60955033d1da273a3fda61f69d76f6271e7e4c). The file contains a string called “HelloWorld” and from the execution path perspective, this looks like a test. From an OPSEC point of view, the file was not ‘cleaned’ but contains the compilation information, in this case the full PDB path: C:\Users\User\source\repos\Dll2\x64\Debug\Dll2.pdb
Exploitation Timeline
- Feb 10, 2024: A certificate is issued for the subject Vanguard Tech Limited, which the certificate indicates is based in London.
- Feb 21, 2024: The first of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
- April 2, 2024: The Twitter user @2RunJack2 tweets about malware being served by the official JAVS downloads page. It’s not stated whether the vendor was notified.
- Mar 12, 2024: The second of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
- May 10, 2024: Rapid7 investigates a new alert in a Managed Detection and Response customer environment. The source of the infection is traced back to an installer that was downloaded from the official JAVS site. The malware file that was downloaded by the victim, the first Viewer package, is not observed to be accessible on the vendor’s download page. It’s unknown who removed the malicious package from the downloads page (i.e., the vendor or the threat actor).
- May 12, 2024: Rapid7 discovers three additional malicious payloads being hosted on the threat actor’s C2 infrastructure over port 8000:
chrome_installer.exe
,firefox_updater.exe
, andOneDriveStandaloneUpdater.exe
. - May 13, 2024: Rapid7 identifies an unlinked installer file containing malware, the second Viewer package, still being served by the official vendor site. This confirms that the vendor site was the source of the initial infection.
- May 17, 2024: Rapid7 discovers that the threat actor removed the binary
OneDriveStandaloneUpdater.exe
from C2 infrastructure and replaced it with a new binary,ChromeDiscovery.exe
. This indicates that the threat actor is actively updating their C2 infrastructure.
Impact
During Rapid7’s initial examination of the binary fffmpeg.exe
, it became evident that the program facilitates unauthorized remote access. Upon execution, fffmpeg.exe
persistently communicates with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, fffmpeg.exe
transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.
Figure 3 - Sample Network Traffic Containing Information About the Host
Subsequently, a persistent connection is established, with the binary poised to receive commands from the C2.
While investigating an incident regarding the binary fffmpeg.exe
, Rapid7 observed the execution of two obfuscated PowerShell scripts.
Figure 4 - Encoded PowerShell Script Spawned by fffmpeg.exe
Rapid7 deobfuscated the PowerShell scripts executed by fffmpeg.exe
and determined the script will attempt to bypass the Anti-Malware Scan Interface (AMSI) and disable Event Tracing for Windows (ETW) for the launched PowerShell session, before executing a command to download an additional payload.
Figure 5 - De-obfuscated PowerShell Script Spawned by fffmpeg.exe
During analysis of chrome_installer.exe
, Rapid7 observed that the binary contained code to drop Python scripts and a binary named main.exe
within the Temp folder, passing the string {TEMP}\\onefile_{PID}_{TIME}
as an argument to a function whose responsibility was to build out the file path.
Figure 6 - Temp Folder Creation Using String {TEMP}\onefile_{PID}_{TIME}
Once the new software was dropped, chrome_installer.exe
was responsible for executing the binary main.exe
using the function CreateProcessW
. After analysis of main.exe
, Rapid7 observed that it contained compiled Python code within the resource section whose purpose was to scrape browsers’ credentials. We also observed that main.exe
was compiled using Nuitka, a Python program designed to compile Python scripts into standalone executables. During the investigation, Rapid7 observed that main.exe
did not execute properly, indicating an issue in the original source code.
Figure 7 - Code References to Nuitka
IOCs
IOC | Description | SHA256 |
---|---|---|
JAVS.Viewer8.Setup_8.3.7.250-1.exe | JAVS Viewer 8.3.7 installer downloaded from the domain javs[.]com Shown as having a valid signature: Subject: Vanguard Tech Limited |
A5E24C10D595969858AF422C6DFF6BED5F9C6C49DC9622D694327323D8A57D72 |
fffmpeg.exe |
Reaches out to hxxps://45.120.177[.]178/gateway/register and hxxps://45.120.177.178/gateway/report Shown as having a valid signature: Subject: Vanguard Tech Limited |
A5E24C10D595969858AF422C6DFF6BED5F9C6C49DC9622D694327323D8A57D72 |
Chrome_installer.exe | Potential second stage infostealer; however, did not execute properly due to 64-bit and 32-bit compatibility issues. | F8A734D5E7A7B99B29182DDDF804D5DAA9D876BF39CE7A04721794367A73DA51 |
Main.exe | Executed as a part of chrome_installer.exe , contains Python compiled code within the resource section. Seems to scrape users’ browser credentials |
4150452D8041A6EC73C447CBE3B1422203FFFDFBF5C845DBAC1BED74B33A5E09 |
45.120.177[.]178 | Attacker C2 using ISP Stark Industries Solutions Ltd | |
hxxps://www[.]javs[.]com/download/45819/ | Official JAVS website URL that Rapid7 observed hosting malware | |
hxxps://45.120.177[.]178/gateway/register | Path used by fffmpeg.exe to contact C2 |
|
hxxps://45.120.177[.]178/gateway/report | Path used by fffmpeg.exe to contact C2 |
|
Vanguard Tech Limited Certificate | Issued by SSL.com: PKCS#7 signature from a certificate for 'Vanguard Tech Limited' issued by 'SSL.com Code Signing Intermediate CA RSA R1' |
|
Dll2.dll | A “Hello World” test library bundled with the malicious installer | 2183c102c107d11ae8aa1e9c0f2af3dc8fa462d0683a033d62a982364a0100d0 |
firefox_updater.exe | Found hosted on C2 over port 8000. Contains StealC InfoStealer | 4F0CA76987EDFE00022C8B9C48AD239229EA88532E2B7A7CD6811AE353CD1EDA |
ChromeDiscovery.exe | Found hosted on C2 over port 8000. Binary is packed with a Go binary, similar to the fffmpeg.exe backdoor. Communicates to the same C2 identified from fffmpeg.exe .Shown as having a valid signature: Subject: Vanguard Tech Limited |
D8DEF4437BD76279EC6351B65156D670EC0FED24D904E6648DE536FED1061671 |
OneDriveStandaloneUpdater.exe | Found hosted on C2 over port 8000. Binary is packed with a Go binary, similar to the fffmpeg.exe backdoor. Communicates to the same C2 identified from fffmpeg.exe .Note: This binary was later removed from the C2 and replaced with ChromeDiscovery.exe |
C65EE0F73F53B287654B6446FFE7264E0D93B24302E7F0036F5E7DB3748749B9 |
Identified by Open Source Intelligence (OSINT)
IOC | Description | SHA256 |
---|---|---|
JAVS.Viewer8.Setup_8.3.7.250-1.exe | Found by searching C2 IP via OSINT. https://www.virustotal.com/gui/file/fe408e2df48237b11cb724fa51b6d5e9c74c8f5d5b2955c22962095c7ed70b2c Shown as having a valid signature: Subject: Vanguard Tech Limited |
FE408E2DF48237B11CB724FA51B6D5E9C74C8F5D5B2955C22962095C7ED70B2C |
fffmpeg.exe | Reaches out to hxxps://45.120.177[.]178/gateway/register and hxxps://45.120.177.178/gateway/report Shown as having a valid signature: Subject: Vanguard Tech Limited |
AACE6F617EF7E2E877F3BA8FC8D82DA9D9424507359BB7DCF6B81C889A755535 |
Remediation
Users who have version 8.3.7 of the JAVS Viewer executable installed are at high risk and should take immediate action. This version contains a backdoored installer that allows attackers to gain full control of affected systems.
To remediate this issue, affected users should:
- Reimage any endpoints where JAVS Viewer 8.3.7 was installed. Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate.
- Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems.
- Reset credentials used in web browsers on affected endpoints. Browser sessions may have been hijacked to steal cookies, stored passwords, or other sensitive information.
- Install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. The new version does not contain the backdoor present in 8.3.7.
Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise.
Rapid7 Customers
InsightIDR, Managed Detection and Response, and Managed Threat Complete customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this activity:
- Suspicious Process - Execution From Root of ProgramData
- Attacker Technique - PowerShell Registry Cradle
- PowerShell - Obfuscated Script
- Attacker Technique - PowerShell Download Cradles
- Attacker Technique - PowerShell Backtick Obfuscation
- Backdoor - Potential JAVS Backdoor
InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-4978 with a vulnerability check expected to be available in today’s (Thursday, May 23) content release.
Vendor Statement
Justice AV Solutions provided the following statement to Rapid7 on Wednesday, May 22, 2024. According to JAVS:
“Justice AV Solutions (JAVS) is committed to providing our clients with secure and reliable software solutions. We recently identified a potential security issue with a previous version of our JAVS Viewer software (Version 8.3.7).
Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file. We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems. We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.
The file in question did not originate from JAVS or any 3rd party associated with JAVS. We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install. Any files found signed by other parties should be considered suspect. We are revisiting our release process to strengthen file certification. We strongly suggest that customers keep updated with all software releases and security patches and use robust security measures, such as firewalls and malware protection.
JAVS service technicians typically install the Viewer software in question. We have all members of our service team validating installations of Viewer software on any potentially affected systems, specifically checking for the presence of the malicious file in question - fffmpeg.exe with three “f’s.” Note, the JAVS file ffmpeg.exe with two “f’s” is a legitimate file.
What You Should Do:
Manually check for file fffmeg.exe
: If the malicious file is found or detected, we recommend a full re-image of the PC and a reset of any credentials used by the user on that computer. If Viewer 8.3.7.250 is the version currently installed, but no malicious files are found, we advise uninstalling the Viewer software and performing a full Anti-Virus/malware scan. Please reset any passwords used on the affected system before upgrading to a newer version of Viewer 8.
Upgrade Your JAVS Viewer: We strongly recommend that all users of JAVS Viewer software upgrade to the latest version (Version 8.3.9 or higher). Upgrading is simple and can be completed by following the instructions included in the software update notification or by visiting our website at https://www.javs.com/downloads/
We appreciate your understanding and cooperation in maintaining a secure environment for all our users. If you have any questions or concerns, please do not hesitate to contact our support team at 1-877-JAVSHLP (877-528-7457).
Sincerely,
The Justice AV Solutions Security Team”
NEVER MISS AN EMERGING THREAT
Be the first to learn about the latest vulnerabilities and cybersecurity news.
Subscribe Now