Compromised recording software was served from vendor’s official site, threat researchers say
Legitimate recording software JAVS Viewer has been saddled with loader malware and has been served from the developer’s site since at least April 2, a threat researcher has warned last month.
After analyzing a flagged installer detected in a customer’s environment, Rapid7 threat analysts have come to a similar conclusion, though they say that Justice AV Solutions (JAVS) – the company developing the legitimate software – is disputing their findings.
The malware hiding in the JAVS Viewer installer
According to Rapid7, the malware is a loader associated with the GateDoor/Rustdoor family of malware, which facilitates unauthorized remote access, collects data about the host computer, and downloads additional malicious payloads when instructed to.
The downloaded malicious installer – JAVS Viewer Setup 8.3.7.250-1.exe, signed by an Authenticode certificate issued to “Vanguard Tech Limited”, and downloaded from the official JAVS site on March 5th – contains and executes a binary named fffmpeg.exe.
That binary executes PowerShell scripts and downloads additional malware that steals sensitive information (e.g., credentials stored in browsers).
“Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action,” the analysts say.
“Completely re-imaging affected endpoints and resetting associated [account] credentials [and browser sessions] is critical to ensure attackers have not persisted through backdoors or stolen credentials. Users should install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems.”
Two compromised installers found
JAVS Viewer opens media and log files created by other pieces of the JAVS software suite, which is specialized software for audio-visual recording in courtroom environments, prison facilities, council and lecture rooms.
The analysts have found two malicious JAVS Viewer packages / compromised installers signed with the Vanguard certificate. The first one was traced back to a download from the official JAVS site, but was not present when the analysts searched for it.
“It’s unknown who removed the malicious package from the downloads page (i.e., the vendor or the threat actor),” they said.
The second one they found a few days later was unlinked, but on the official vendor site.
Rapid7 researchers also found additional malicious payloads hosted on the threat actor’s C2 infrastructure, one of which was subsequently downloaded on their affected customer’s system.
After reporting their findings to Justice AV Solutions, the company said that though they did identify attempts to replace their Viewer 8.3.7 software with a compromised file, the file analyzed by the researchers “did not originate from JAVS or any 3rd party associated with JAVS.” Still, they are revisiting their release process “to strengthen file certification”.
“JAVS service technicians typically install the Viewer software in question. We have all members of our service team validating installations of Viewer software on any potentially affected systems, specifically checking for the presence of the malicious file in question – fffmpeg.exe with three ‘f’s.’ Note, the JAVS file ffmpeg.exe with two ‘f’s’ is a legitimate file,” they noted.
They also advised users to manually check for the malicious file and, if they find it, to re-image the PC and reset credentials used by the user(s).
“We highly encourage all users to verify that JAVS has digitally signed any JAVS software they install. Any files found signed by other parties should be considered suspect,” they added.
source: HelpNetSecurity
Free security scan for your website
Top News:
Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs
November 23, 2024Download: CIS Critical Security Controls v8.1
August 8, 2024Hackers now use AppDomain Injection to drop CobaltStrike beacons
August 24, 2024