HQ/EMEAFind out how we can help your business
Threat actors have allegedly infiltrated the installer of the widely used Justice AV Solutions (JAVS) courtroom video recording software with malware. Based on reports, the malware has allowed these attackers to control the infected PCs.
The business behind this software claims that the digital recording tool has been installed in over 10,000 courtrooms, legal offices, penal facilities, and other agencies worldwide.
JAVS has already removed the compromised version from its official website, stating that the trojanised program, including a malicious fffmpeg.exe binary, did not originate from them or any of their third-party associates.
The organisation examined all systems and reset all passwords to guarantee that they could not be used in future breaches if they were stolen. The business noted that its ongoing monitoring and collaboration with authorities have allowed it to identify attempts to replace its Viewer 8.3.7 software with a compromised file.
They also confirmed that all currently available files on the JAVS.com website are genuine and malware-free. Moreover, the company verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.
On the other hand, separate research analysed this supply chain problem within the company and tracked the bug as CVE-2024-4978.
Initial investigation claimed that the compromised JAVS installation first appeared last month.
According to investigations, the trojanized JAVS installation appeared in early April and is related to the Rustdoor/GateDoor malware. Additionally, the researchers found that it sends system information to its C2 server after installing and launching the malware.
It runs two obfuscated PowerShell scripts that attempt to turn off Event Tracing for Windows (ETW) and bypass the Anti-Malware Scan Interface. Next, an additional malicious payload downloaded from its command-and-control server includes Python scripts that harvest credentials stored in the system’s web browsers.
The backdoored installer (JAVS.Viewer8.Setup_8.3.7.250-1.exe), which many security vendors classify as a malware dropper, was downloaded from the official JAVS website. Researchers advise JAVS customers to reimage all endpoints where they had installed the trojanised installer.
All customers should reset all credentials to log into potentially affected endpoints and upgrade the JAVS Viewer software to version 8.3.9 or above to prevent potential attackers from accessing the software.
