Attackers have backdoored the installer of widely used Justice AV Solutions (JAVS) courtroom video recording software with malware that lets them take over compromised systems.
The company behind this software, also known as JAVS, says the digital recording tool currently has over 10,000 installations in many courtrooms, legal offices, correctional facilities, and government agencies worldwide.
JAVS has since removed the compromised version from its official website, saying that the trojanized software containing a malicious fffmpeg.exe binary “did not originate from JAVS or any 3rd party associated with JAVS.”
The company also conducted a full audit of all systems and reset all passwords to ensure that if stolen, they couldn’t be used in future breach attempts.
“Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file,” the company said.
“We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.”
Cybersecurity company Rapid7 investigated this supply chain incident (now tracked as CVE-2024-4978) and found that the S2W Talon threat intelligence group first spotted the trojanized JAVS installer in early April and linked it to the Rustdoor/GateDoor malware.
While analyzing one incident linked to CVE-2024-4978 on May 10, Rapid7 found that the malware sends system information to its command-and-control (C2) server after it gets installed and launched.
It then executes two obfuscated PowerShell scripts that will try to disable Event Tracing for Windows (ETW) and bypass the Anti-Malware Scan Interface (AMSI).
Next, an additional malicious payload downloaded from its C2 server drops Python scripts, which will start collecting credentials stored in web browsers on the system.
According to Rapid7, the backdoored installer (JAVS.Viewer8.Setup_8.3.7.250-1.exe)—classified by many security vendors as a malware dropper—was downloaded from the official JAVS website.
All potentially compromised JAVS endpoints need reimaging
On Thursday, the cybersecurity company warned JAVS customers to reimage all endpoints where they deployed the trojanized installer.
To ensure that the attackers’ access is severed, they should also reset all credentials used to log onto potentially compromised endpoints and upgrade the JAVS Viewer software to version 8.3.9 or higher (the latest safe version) after reimaging the systems.
“Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate,” the company warned.
“Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials.”
In March last year, video conferencing software maker 3CX disclosed that its 3CXDesktopApp Electron-based desktop client was also trojanized in a similar attack by a North Korean hacking group tracked as UNC4736 to distribute malware. During that attack, the threat actors used a malicious version of a ffmpeg DLL.
Four years ago, the Russian APT29 hacking group breached SolarWinds’ internal systems and infiltrated the systems of multiple U.S. government agencies after injecting malicious code into SolarWinds Orion IT administration platform builds they downloaded between March 2020 and June 2020.
A JAVS spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more info on when the breach was detected and how many customers were impacted, if any.