Rapid7 uncovered a backdoored JAVS Viewer 8.3.7 installer used in what appears to be a supply chain intrusion, with a dropper binary that communicates with a remote C2 and multiple additional payloads. Immediate remediation includes re-imaging affected endpoints and upgrading to 8.3.8+ after credentials are reset. #JAVS #fffmpeg #VanguardTechLimited #GateDoor #Rustdoor #ChromeDiscovery #OneDriveStandaloneUpdater
Keypoints
- JAVS Viewer 8.3.7 installer contains a backdoored binary (fffmpeg.exe) that provides attackers with remote control over affected systems.
- The malicious components are signed with a Vanguard Tech Limited Authenticode certificate, raising trust concerns about supply-chain integrity.
- The infection path traces back to a legitimate JAVS download page, indicating a supply-chain compromise via the official site.
- Parsed artifacts reveal C2 communications to 45.120.177.178 (gateway/register and gateway/report) and additional payloads hosted on the C2 over port 8000.
- Payloads include chrome_installer.exe, firefox_updater.exe, and OneDriveStandaloneUpdater.exe; ChromeDiscovery.exe later replaced OneDriveStandaloneUpdater.exe in the C2 infrastructure.
- Obfuscated PowerShell scripts are used, with AMSI bypass and ETW disable attempts during execution, and credentials are targeted in browsers.
- Remediation emphasizes full endpoint re-imaging, credential resets, and upgrading to the latest JAVS Viewer version (8.3.8+).
MITRE Techniques
- [T1195] Supply Chain Compromise – The malicious installer was downloaded from the official JAVS site, leading to the backdoored installation. ‘downloaded from the official JAVS site on March 5th.’
- [T1218.005] Signed Binary Proxy Execution – Both the fffmpeg.exe binary and the installer binary are signed by an Authenticode certificate issued to “Vanguard Tech Limited.”
- [T1082] System Information Discovery – The malware transmits data about the host (hostname, OS details, CPU, working directory, user) to the C2. ‘transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.’
- [T1041] Exfiltration Over C2 Channel – Data about the host is sent to the C2 during operation. ‘transmits data about the compromised host… to the C2.’
- [T1071.001] Web Protocols – The backdoor communicates with the C2 over HTTP/HTTPS endpoints (e.g., gateway/register and gateway/report). ‘reaches out to hxxps://45.120.177[.]178/gateway/register and hxxps://45.120.177.178/gateway/report.’
- [T1555.003] Credentials in Browser – The dropped payload in main.exe is described as scraping browser credentials. ‘contained Python code within the resource section whose purpose was to scrape browsers’ credentials.’
- [T1562.001] Impair Defenses – AMSI bypass and ETW disable for the launched PowerShell session. ‘will attempt to bypass the Anti-Malware Scan Interface (AMSI) and disable Event Tracing for Windows (ETW) for the launched PowerShell session.’
- [T1059.001] PowerShell – Obfuscated/encoded PowerShell scripts executed by fffmpeg.exe. ‘observed the execution of two obfuscated PowerShell scripts.’
Indicators of Compromise
- [File] JAVS.Viewer8.Setup_8.3.7.250-1.exe – JAVS Viewer 8.3.7 installer downloaded from javs[.]com; Signature shows Vanguard Tech Limited. – A5E24C10D595969858AF422C6DFF6BED5F9C6C49DC9622D694327323D8A57D72
- [File] fffmpeg.exe – Reaches out to C2 endpoints; Signature shows Vanguard Tech Limited. – A5E24C10D595969858AF422C6DFF6BED5F9C6C49DC9622D694327323D8A57D72
- [File] Chrome_installer.exe – Potential second-stage payload; SHA256 F8A734D5E7A7B99B29182DDDF804D5DAA9D876BF39CE7A04721794367A73DA51
- [File] Main.exe – Executes as part of chrome_installer.exe; contains Python code to scrape browser credentials. – 4150452D8041A6EC73C447CBE3B1422203FFFDFBF5C845DBAC1BED74B33A5E09
- [File] Dll2.dll – “Hello World” test library bundled with the malicious installer. – 2183c102c107d11ae8aa1e9c0f2af3dc8fa462d0683a033d62a982364a0100d0
- [File] firefox_updater.exe – Found on C2 over port 8000; contains StealC InfoStealer. – 4F0CA76987EDFE00022C8B9C48AD239229EA88532E2B7A7CD6811AE353CD1EDA
- [File] ChromeDiscovery.exe – Packed with a Go binary; communicates to the same C2 as fffmpeg.exe. – D8DEF4437BD76279EC6351B65156D670EC0FED24D904E6648DE536FED1061671
- [IP] 45.120.177.178 – C2 host (attacker server) used by fffmpeg.exe and other payloads. –
- [URL] hxxps://www.javs[.]com/download/45819/ – Official JAVS download URL observed hosting malware. –
- [URL] hxxps://45.120.177[.]178/gateway/register – C2 command-and-control path. –
- [URL] hxxps://45.120.177[.]178/gateway/report – C2 reporting path. –
- [Certificate] Vanguard Tech Limited certificate – PKCS#7 signature from SSL.com Code Signing Intermediate CA RSA R1. –
Identified by Open Source Intelligence (OSINT)
- [URL] https://www.virustotal.com/gui/file/fe408e2df48237b11cb724fa51b6d5e9c74c8f5d5b2955c22962095c7ed70b2c – Related to JAVS.Viewer8.Setup_8.3.7.250-1.exe (FE408E… SHA256). –
- [Hash] AACE6F617EF7E2E877F3BA8FC8D82DA9D9424507359BB7DCF6B81C889A755535 – OSINT record for fffmpeg.exe. –
Remediation
- Reimage endpoints with JAVS Viewer 8.3.8 or higher after confirming removal of the backdoor.
- Reset credentials on affected accounts and browser sessions.
- Upgrade to JAVS Viewer version 8.3.8+ and verify digital signatures on installed files.
- Follow vendor guidance and consider broader credential hygiene and network segmentation to prevent persistence.
Vendor Statement
Justice AV Solutions provided guidance and confirmed that all currently available files on JAVS.com are genuine and malware-free, and urged customers to verify digital signatures on installed software. They also recommended upgrading to the latest version (8.3.9 or higher) and performing full system checks.