Courtroom Recording Platform JAVS Hijacked in Supply Chain Attack

A Windows version of the RustDoor installer is spreading via a compromised audiovisual software package hosted and distributed by an audio-visual recording platform used in courtrooms, jails, prisons, council, hearing, and lecture halls across nationwide.

Threat actors corrupted Justice AV's Viewer v8.3.7, which is used to access media and logging files produced by the Justice AV platform, according to researchers at Rapid7, who today released their findings on the supply chain cyberattack campaign.

Once deployed, the RustDoor installer allows adversaries to completely take over infected systems, according to the report. The Viewer had been "... available to download via the vendor's website, and it's shipped as a Windows-based installer package that prompts for high privileges upon execution," the researchers explained.

Justice AV Solutions, RustDoor's Supply Chain Attack History

RustDoor was first discovered in December of 2023 targeting macOS machines. The Windows version, also referred to as GateDoor and written in Golang instead of Rust, was found shortly thereafter, according to researchers behind its discovery. Dating back to its origins, RustDoor and GateDoor were deployed in supply chain cyberattacks disguised as legitimate software. Past RustDoor campaigns have been linked to ALPHV/BlackCat ransomware group.

The first malicious versions of JAVS Viewer packages emerged in Feb. 21, and Rapid7 first began investigating it on May 10.

JAVS has since removed the corrupted Viewer files and told Rapid7 that "no source code, certificates, systems, or other software releases were compromised in this incident."

Customers of Justice AV Solutions software should not just delete and replace the software but completely re-image affected endpoints, Rapid7 recommended, as well as reset credentials. JAVS Viewer v8.3.7 users are at "high risk and should take immediate action," the researchers warned.

Although the RustDoor malware is no longer spreading via the JAVS platform, Rapid7 noted that the adversaries behind the supply chain attack are continuously updating and improving their command-and-control (C2) infrastructure.