Hackers Embed Backdoor in Software Used by Courts Worldwide

Researchers reported Thursday that a software provider serving over 10,000 courtrooms globally released an update containing a hidden backdoor that maintained persistent communication with a malicious website. This incident is the latest in a series of supply-chain attacks.

JAVS Viewer 8: A Vulnerability in Courtroom Software

The software, known as JAVS Viewer 8, is part of the JAVS Suite 8, used in courtrooms to record, play back, and manage audio and video from proceedings. Justice AV Solutions, based in Louisville, Kentucky, claims its products are used in more than 10,000 courtrooms across the US and 11 other countries. The company has been in business for 35 years.

High Risk for JAVS Viewer Users

Security firm Rapid7 found that a version of JAVS Viewer 8 available for download on javs.com contained a backdoor that allowed an unknown threat actor persistent access to infected devices. The malicious download was embedded in an executable file for installing JAVS Viewer version 8.3.7 and was first reported on April 1. It is unclear when the compromised version was removed from the company’s website. JAVS representatives have not yet responded to email inquiries.

Immediate Action Required

“Users who have installed version 8.3.7 of the JAVS Viewer executable are at high risk and should take immediate action,” Rapid7 researchers Ipek Solak, Thomas Elkins, Evan McCann, Matthew Smith, Jake McMahon, Tyler McGraw, Ryan Emmons, Stephen Fewer, and John Fenninger wrote. “This version contains a backdoored installer that allows attackers to gain full control of affected systems.”

Details of the Attack

The installer file was named JAVS Viewer Setup 8.3.7.250-1.exe. When executed, it copied a binary file, fffmpeg.exe, to the directory C:\Program Files (x86)\JAVS\Viewer 8. To bypass security warnings, the installer was digitally signed with a certificate issued to “Vanguard Tech Limited” rather than “Justice AV Solutions Inc.,” the legitimate signing entity.

fffmpeg.exe used Windows Sockets and WinHTTP to establish communications with a command-and-control server. Once connected, fffmpeg.exe sent the server passwords harvested from browsers and information about the compromised host, including hostname, operating system details, processor architecture, program working directory, and the username.

The researchers noted that fffmpeg.exe also downloaded a file, chrome_installer.exe, from IP address 45.120.177.178. chrome_installer.exe executed a binary and several Python scripts responsible for stealing passwords saved in browsers. fffmpeg.exe is associated with a known malware family called GateDoor/Rustdoor. The exe file was already flagged by 30 endpoint protection engines, with detections increasing to 38 by the time of the report.

Cleaning Up Infected Devices

The researchers warned that disinfecting infected devices will require careful attention. They emphasized the importance of thoroughness in the cleanup process to ensure the complete removal of all malicious components.

To remediate this issue, affected users should:

  • Reimage any endpoints where JAVS Viewer 8.3.7 was installed. Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate.
  • Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems.
  • Reset credentials used in web browsers on affected endpoints. Browser sessions may have been hijacked to steal cookies, stored passwords, or other sensitive information.
  • Install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. The new version does not contain the backdoor present in 8.3.7.

Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise.

Official Statement from JAVS

The Rapid7 post included a statement from JAVS confirming the installer for version 8.3.7 of the JAVS Viewer was indeed malicious.

“We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems,” the statement read. “We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS source code, certificates, systems, or other software releases were compromised in this incident.”

The statement did not clarify how the installer became available for download on its site nor did it mention if an external firm was retained to investigate the incident.

The Broader Context of Supply-Chain Attacks

This incident underscores the growing threat of supply-chain attacks, where hackers tamper with a legitimate service or software to infect downstream users. Typically, these attacks involve first hacking the service or software provider. While it’s challenging to completely prevent such attacks, one useful measure is to vet files using VirusTotal before executing them. This advice could have helped JAVS users avoid the compromised software.