Courtroom Recording Platform Abused To Deliver Backdoor Implant – The Cyber Express

GateDoor and Rustdoor backdoor malware family identified in the spread

by Mihir Bagwe May 24th, 2024

Share on LinkedInShare on Twitter

Hackers compromised a popular courtroom recording platform used across jails and prisons around the globe, to gain full control of systems through a backdoor implanted in a software update.

Justice AV Solutions (JAVS) software records events like lectures, court hearings and council meetings, with over 10,000 installations worldwide. Users can download it through the vendor’s website as a Windows-based installer package.

This week, the company announced it had identified a security issue with a previous version of its JAVS Viewer software. The company stated on Thursday, “Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file.”

JAVS removed all versions of Viewer 8.3.7 from its website, reset all passwords and conducted a full internal audit of its systems. The company confirmed that all currently available files on the JAVS website are genuine and malware-free. It also verified that no JAVS source code, certificates, systems, or other software releases were compromised.

The malicious file containing malware did not originate from JAVS or any associated third party. As a precautionary measure, the company urged users to verify any JAVS software they install is digitally signed by the company.

“Manually check for file ‘fffmeg.exe’: If the malicious file is found or detected, we recommend a full re-image of the PC and a reset of any credentials used by the user on that computer.”

If Viewer is the version currently installed, but no malicious files are found, JAVS advised uninstalling the Viewer software and performing a full Anti-Virus/malware scan. “Please reset any passwords used on the affected system before upgrading to a newer version of Viewer 8,” the company recommended.

Cybersecurity firm Rapid7 analyzed the issue and found that the corrupted JAVS Viewer software, which opens media and logs files, included a backdoored installer that gives attackers full access to affected systems.

Based on the open-source intelligence, Rapid7 determined that the binary fffmpeg.exe is associated with the GateDoor and Rustdoor malware family. These malwares perform malicious actions such as collecting information, downloading additional files, and executing commands.

RustDoor focuses on backdoor functions, but GateDoor has many loader functions. “The infrastructure used by the two malware appears to be related to a RaaS affiliate called ShadowSyndicate, and the possibility that they are cybercrime collaborators who specialize in providing infrastructure cannot be ruled out,” said S2W, the company who first observed the backdoors earlier in February.

Rapid7 tracked the issue as CVE-2024-4978 and coordinated the disclosure with the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Rapid7 noted that the malicious versions of the software were signed by “Vanguard Tech Limited,” allegedly based in London. In its advisory, Rapid7 urged users to reimage all endpoints where the software was installed and reset credentials on web browsers and for any accounts logged into affected endpoints, both local and remote.

“Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate,” Rapid7 advised.

The issue first surfaced on platform X (formerly Twitter) in April when a threat intelligence researcher claimed that “malware is being hosted on the official website of JAVS.”

On May 10, Rapid7 responded to an alert on a client’s system and traced an infection back to an installer downloaded from the JAVS website. The malicious file downloaded by the victim was no longer available on the website, and it’s unclear who removed it.

A few days later, researchers found a different installer file containing malware on the JAVS website, confirming the vendor site as the source of the initial infection. JAVS did not comment on the discrepancy between their findings and Rapid7’s analysis.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button