{
  "name": "CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack",
  "slug": "cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack",
  "description": "Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and facilitated unauthorized access, data exfiltration, and credential harvesting. Affected users should immediately re-image compromised endpoints, reset credentials, and install the latest JAVS Viewer version after remediation.",
  "published": "2024-05-24T11:29:44+00:00",
  "created_at": "2024-05-24T11:29:44+00:00",
  "modified_at": "2024-05-24T11:56:09+00:00",
  "created_at_opencti": "2024-05-24T11:29:44+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-05-24",
    "CVE-2024-4978",
    "backdoor",
    "credential harvesting",
    "gatedoor/rustdoor",
    "installer",
    "software",
    "stealc infostealer",
    "supply-chain"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "45.120.177.178"
      },
      {
        "id": "",
        "name": "fe408e2df48237b11cb724fa51b6d5e9c74c8f5d5b2955c22962095c7ed70b2c"
      },
      {
        "id": "",
        "name": "f8a734d5e7a7b99b29182dddf804d5daa9d876bf39ce7a04721794367a73da51"
      },
      {
        "id": "",
        "name": "d8def4437bd76279ec6351b65156d670ec0fed24d904e6648de536fed1061671"
      },
      {
        "id": "",
        "name": "c65ee0f73f53b287654b6446ffe7264e0d93b24302e7f0036f5e7db3748749b9"
      },
      {
        "id": "",
        "name": "aace6f617ef7e2e877f3ba8fc8d82da9d9424507359bb7dcf6b81c889a755535"
      },
      {
        "id": "",
        "name": "a5e24c10d595969858af422c6dff6bed5f9c6c49dc9622d694327323d8a57d72"
      },
      {
        "id": "",
        "name": "4f0ca76987edfe00022c8b9c48ad239229ea88532e2b7a7cd6811ae353cd1eda"
      },
      {
        "id": "",
        "name": "4150452d8041a6ec73c447cbe3b1422203fffdfbf5c845dbac1bed74b33a5e09"
      },
      {
        "id": "",
        "name": "2183c102c107d11ae8aa1e9c0f2af3dc8fa462d0683a033d62a982364a0100d0"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:941a7c85a8fd8521",
        "name": "StealC InfoStealer",
        "slug": "stealc-infostealer"
      },
      {
        "id": "legacy:malware:4e1cce81613dcf34",
        "name": "GateDoor/Rustdoor",
        "slug": "gatedoorrustdoor"
      }
    ],
    "attack_patterns": [
      {
        "id": "ea1b48f4-a309-42b6-b1a5-1875fb6d45ae",
        "name": "T1216"
      },
      {
        "id": "1f2ce0cc-430c-4317-a332-83a27cbad1d3",
        "name": "T1548"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2024-4978"
      }
    ]
  },
  "external_refs": [
    "https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/",
    "https://otx.alienvault.com/pulse/665096489cd3db26387dbaea"
  ]
}