Thousands of computers are at risk of complete takeover after hackers added a backdoor to the installer for the Justice AV Solutions (JAVS) Viewer software, Rapid7 warned in an advisory.
According to Rapid7, the hackers injected a backdoor in the JAVS Viewer v8.3.7 installer that is being distributed directly from JAVS’ official servers.
“This version contains a backdoored installer that allows attackers to gain full control of affected systems. Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials,” Rapid7 added.
The backdoored installer had been distributed through the official servers for months and was initially discovered by security firm S2W, which identified the malware being deployed in this attack, namely GateDoor (part of the RustDoor malware family) in February.
Once the malware is dropped on the user’s computers, it provides the attackers with full control over the machines.
“Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute unauthorized PowerShell commands,” according to a NIST advisory that identifies the issue as CVE-2024-4978 (CVSS score of 8.7).
Rapid7 identified two malicious JAVS Viewer packages on the vendor’s server and discovered that the certificate used to sign them was issued on February 10.
Although the first report of the official JAVS downloads page serving malware emerged in early April, it is unclear if the vendor was notified at the time.
The cybersecurity firm recommends that users update to JAVS Viewer version 8.3.8, which no longer contains the malicious code.
Rapid7 also underlines that users need to re-imagine their computers to ensure that the backdoor has been removed, as simply updating the Viewer does not clean the system, and to reset the credentials for all accounts they were logged into on the infected machines.
“Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise,” Rapid7 added.
Part of JAVS Suite, which provides audio and video recording and management capabilities for courtroom environments, the Viewer allows users to open media and log files and runs with high system privileges.
A US-based company, JAVS says its software is used in courtrooms, jury rooms, prison facilities, and council, hearing, and lecture rooms, and has more than 10,000 installations worldwide.
Related: Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors
Related: State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls
Related: Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor
