Proprietary 2024-02-21 · 82 days ·Backdoor, Remote Access, Data Theft

JAVS Viewer installer delivered backdoor

JAVS Viewer 8.3.7 installers from the official site carried a fake fffmpeg.exe backdoor. Courtroom recording environments were told to reimage and reset credentials.

Story

JAVS Viewer is used in courtroom and hearing-room recording environments. Rapid7 traced an incident back to JAVS Viewer Setup 8.3.7.250-1.exe, downloaded from the official JAVS site on March 5, 2024.

The installer was signed, but not by Justice AV Solutions. It carried an Authenticode certificate for Vanguard Tech Limited and included fffmpeg.exe, with three leading f characters. That file ran from the JAVS Viewer installation directory and established command-and-control traffic.

The backdoor sent host details to 45.120.177.178, maintained a persistent connection, and launched obfuscated PowerShell. Rapid7 later found second-stage binaries on the actor's infrastructure, including browser-credential theft tooling and StealC-related payloads.

JAVS pulled Viewer 8.3.7, reset passwords, audited systems, and said source code, certificates, systems, and other releases were not compromised. Rapid7 and JAVS both recommended reimaging affected machines, resetting credentials, and installing a clean 8.3.8 or later release.

Affected Artifacts

JAVS Viewer

windows installer · javs.com · Binary Archive

Observed: 2024-02-21 to 2024-05-13
Compromised Versions: 8.3.7.250-1
Fixed: 8.3.8, 8.3.9
Hashes: sha256:a5e24c10d595969858af422c6dff6bed5f9c6c49dc9622d694327323d8a57d72

sha256:fe408e2df48237b11cb724fa51b6d5e9c74c8f5d5b2955c22962095c7ed70b2c
Evidence: mirror: rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack, mirror: virustotal.com/gui/file/543ea993454380f8152e2838d27ad78803083d953701349516c288069056f101, mirror: virustotal.com/gui/file/a5e24c10d595969858af422c6dff6bed5f9c6c49dc9622d694327323d8a57d72, mirror: virustotal.com/gui/file/fe408e2df48237b11cb724fa51b6d5e9c74c8f5d5b2955c22962095c7ed70b2c , +31 more

Affected product release was JAVS Viewer 8.3.7.
Artifact hashes contain the two publicly identified malicious JAVS Viewer installer SHA-256 values; embedded payload and C2-hosted binaries are named indicators.

Incident Context

Motive: Espionage Remote Access
Cause: Compromised Installer
Transitive: No

External References

CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attackrapid7.com
CVE-2024-4978 Detailnvd.nist.gov
CISA Adds One Known Exploited Vulnerability to Catalogcisa.gov

Source record: proprietary/javs/meta.yaml