U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malware-laced JAVS Viewer deploys RustDoor implant in supply chain attack

Malicious actors compromised the JAVS Viewer installer to deliver the RustDoor malware in a supply chain attack. Rapid7 researchers warned that threat actors added a backdoor to the installer for the Justice AV Solutions JAVS Viewer software. The attackers were able to inject a backdoor in the JAVS Viewer v8.3.7 installer that is being distributed from […]

Rustdoor JAVS Viewer

Malicious actors compromised the JAVS Viewer installer to deliver the RustDoor malware in a supply chain attack.

Rapid7 researchers warned that threat actors added a backdoor to the installer for the Justice AV Solutions JAVS Viewer software.

The attackers were able to inject a backdoor in the JAVS Viewer v8.3.7 installer that is being distributed from the JAVS’ servers.

Justice AV Solutions (JAVS) is a U.S.-based company providing digital audio-visual recording solutions for courtroom settings and other environments, including jails, councils, and lecture rooms. The JAVS Viewer has over 10,000 installations globally. The backdoor delivered by the researchers allows attackers to gain full control of infected systems. Rapid7 experts recommend to re-image the affected systems, reset associated credentials, and install the latest version of JAVS Viewer (v8.3.8 or higher).

The researchers noticed that the installer for JAVS Viewer Setup 8.3.7.250-1.exe was digitally signed with an unexpected Authenticode signature and included a binary called fffmpeg.exe. The binary executed encoded PowerShell scripts, Rapid7 linked fffmpeg.exe to the GateDoor/Rustdoor malware, which was identified by security firm S2W.

“Both the fffmpeg.exe binary and the installer binary are signed by an Authenticode certificate issued to “Vanguard Tech Limited”. This is unexpected, as it was noted that other JAVS binaries which appear legitimate are signed by a certificate issued to “Justice AV Solutions Inc”.” reads the report published by Rapid7. “Searching VirusTotal for other files signed by “Vanguard Tech Limited” shows the following.


“The above suggests that there may be one other version of the malicious installer (SHA1: b8e97333fc1b5cd29a71299a8f82a541cabf4d59) and one other malicious fffmpeg.exe (SHA1: b9d13055766d792abaf1d11f18c6ee7618155a0e). These binaries were first seen on the VirusTotal platform April 1, 2024.”

The researchers discovered two malicious JAVS Viewer packages on the vendor’s server, they were signed with a certificate issued on February 10.

On April 2, 2024, the X user @2RunJack2 first reported of the implant distributed by the official JAVS downloads page.

Rapid7 published Indicators of Compromise (IoC) for this attack, below is the attack timeline:

  • Feb 10, 2024: A certificate is issued for the subject Vanguard Tech Limited, which the certificate indicates is based in London.
  • Feb 21, 2024: The first of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
  • April 2, 2024: The Twitter user @2RunJack2 tweets about malware being served by the official JAVS downloads page. It’s not stated whether the vendor was notified.
  • Mar 12, 2024: The second of the two malicious JAVS Viewer packages is signed with the Vanguard certificate.
  • May 10, 2024: Rapid7 investigates a new alert in a Managed Detection and Response customer environment. The source of the infection is traced back to an installer that was downloaded from the official JAVS site. The malware file that was downloaded by the victim, the first Viewer package, is not observed to be accessible on the vendor’s download page. It’s unknown who removed the malicious package from the downloads page (i.e., the vendor or the threat actor).
  • May 12, 2024: Rapid7 discovers three additional malicious payloads being hosted on the threat actor’s C2 infrastructure over port 8000: chrome_installer.exefirefox_updater.exe, and OneDriveStandaloneUpdater.exe.
  • May 13, 2024: Rapid7 identifies an unlinked installer file containing malware, the second Viewer package, still being served by the official vendor site. This confirms that the vendor site was the source of the initial infection.
  • May 17, 2024: Rapid7 discovers that the threat actor removed the binary OneDriveStandaloneUpdater.exe from C2 infrastructure and replaced it with a new binary, ChromeDiscovery.exe. This indicates that the threat actor is actively updating their C2 infrastructure.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, JAVS Viewer)