Courtroom Software Backdoored to Deliver RustDoor Malware in Supply Chain Attack
Summary:
Malicious actors exploited the installer for courtroom video recording software from Justice AV Solutions to distribute RustDoor malware. This software supply chain attack, known as CVE-2024-4978, targeted JAVS Viewer v8.3.7, a component of JAVS Suite 8 used for managing digital recordings of legal and business proceedings, including courtroom sessions, business meetings, and city council sessions.
Rapid7, a cybersecurity firm, discovered a suspicious executable named "fffmpeg.exe" within the software's installation folder. This executable was traced back to an installer downloaded from the official Justice AV Solutions website on March 5, 2024, titled "JAVS Viewer Setup 8.3.7.250-1.exe." What raised alarms was that this installer was signed with an unexpected Authenticode signature from "Vanguard Tech Limited" instead of the usual signing entity, "Justice AV Solutions Inc." Upon execution, "fffmpeg[.]exe" established contact with a C&C server using Windows sockets and WinHTTP requests. It then executed encoded PowerShell scripts to bypass security measures such as Antimalware Scan Interface and disable Event Tracing for Windows . Subsequently, it attempted to download a disguised Google Chrome installer from a remote server. Further analysis revealed another executable named "main[.]exe" within the chain of malware. This component was designed to gather credentials from web browsers but was found to have software bugs that prevented it from functioning correctly.
Security Officer Comments:
The RustDoor malware, originally targeting Apple macOS devices, was now observed on Windows systems, indicating an expansion of its threat landscape. This shift in platforms was noted by South Korean cybersecurity company S2W on April 2, 2024. Additionally, the RustDoor malware, was first documented by Bitdefender earlier this February as targeting Apple macOS devices by mimicking an update for Microsoft Visual Studio as part of likely targeted attacks using job offering lures.
Suggested Corrections:
In response to the breach, Justice AV Solutions removed the compromised version of JAVS Viewer, reset passwords, and conducted a comprehensive security audit. Users were advised to verify digital signatures for all software installations and implement recommended security measures, including checking for indicators of compromise (IoCs), re-imaging affected endpoints, resetting credentials, and updating to the latest version of JAVS Viewer.
Link(s):
https://thehackernews.com/2024/05/courtroom-software-backdoored-to.html