Hackers Backdoored Courtroom Video Recording Software With System Hijacking Malware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A vulnerability (CVE-2024-4978) has been identified in JAVS Viewer v8.3.7, a critical component for managing digital recordings in legal and government environments. 

The installer for this version is backdoored, allowing attackers to remotely seize control of infected systems, which could grant access to sensitive data and potentially establish persistence on the network. 

To mitigate the risk, users should immediately re-image affected devices and reset all associated credentials.

After a clean system image is established, upgrading to JAVS Viewer v8.3.8 or later is recommended. 

An investigation into malicious fffmpeg.exe binary execution from C:Program Files (x86)JAVSViewer 8 folder revealed a supply chain attack. 

The culprit was traced back to a compromised JAVS Viewer installer (JAVS Viewer Setup 8.3.7.250-1.exe) downloaded from the official JAVS website on March 5th.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

The installer was signed with an unexpected certificate and contained the malicious fffmpeg.exe. It executed encoded PowerShell scripts, dropping a GateDoor/Rustdoor family malware variant. 

Sample Network Traffic Containing Information About the Host

It has been discovered that there is malicious activity within fffmpeg.exe, as this program connects to a command-and-control server using Windows sockets and WinHTTP requests, transmitting data like hostname, OS details, and username. 

After establishing a persistent connection, the program waits for commands from the C2 server.

Further investigation revealed the execution of obfuscated PowerShell scripts, suggesting additional malicious actions. 

Rapid7 analyzed two malicious executables, fffmpeg.exe and chrome_installer.exe. Ffmpeg.exe executes obfuscated PowerShell scripts that attempt to disable security measures and download additional malware. 

Chrome_installer.exe creates temporary files and attempts to execute a compiled Python script (main.exe) to steal browser credentials.

However, analysis suggests an issue in the source code may prevent main.exe from functioning properly.  

Temp Folder Creation Using String {TEMP}onefile_{PID}_{TIME}

The malicious JAVS.Viewer8.Setup_8.3.7.250-1.exe installer revealed a suspicious fffmpeg.exe binary with a typographical error (“fff” instead of “ff”), along with the installer itself, which was signed by an unexpected certificate belonging to “Vanguard Tech Limited” (instead of the legitimate “Justice AV Solutions Inc.”). 

The investigation on VirusTotal identified another malicious installer variant and dropper with different hashes dating back to April 1, 2024.

Interestingly, a debug file (Dll2.dll) included in the first installer variant contained an uncleaned compilation path, suggesting a potential oversight by the attackers.  

VirusTotal Vanguard Certificate Results

Attackers compromised the official download page of JAVS, a legitimate software vendor, and replaced the legitimate JAVS Viewer installer with a malicious one signed with a fraudulent certificate. 

The malware dropper was disguised as a software update for popular applications (Chrome, Firefox, and OneDrive).

The attack campaign lasted several months, from February to May 2024, and the malicious software was eventually removed by the attackers themselves. 

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers