Sharp Dragon Hackers Attacking government entities Using Cobalt Strike & custom backdoors

An investigation revealed a critical vulnerability in JAVS Viewer v8.3.7, where the installer, downloaded from the official JAVS website, contained a backdoored version of ffmpeg.exe (associated with GateDoor/Rustdoor malware). 

The malware executed encoded PowerShell scripts, potentially granting attackers full control of affected systems, while re-imaging and credential resets are recommended after installing the patched version (8.3.8 or higher).  

JAVS Suite 8 is a software suite designed for managing audio/video recordings. It caters to government organizations and businesses and offers functionalities for recording, viewing, and managing audio/video files. 

A vulnerable component within the suite is the JAVS Viewer application, which is responsible for opening media and log files generated by other JAVS Suite applications. Users can download the JAVS Viewer from the vendor’s website, and it’s a Windows-based installer that requires administrative privileges during installation. 

The Dropper’s VirusTotal Details

A malicious installer, JAVS.Viewer8.Setup_8.3.7.250-1.exe, for legitimate JAVS viewer software was found to contain a suspicious binary, fffmpeg.exe, with three “f”s instead of the usual two, which is flagged as malicious by multiple antivirus vendors on VirusTotal and was first seen there on May 3rd, 2024. 

Interestingly, both the installer and the dropper are signed by a certificate belonging to “Vanguard Tech Limited,”  which is different from the legitimate “Justice AV Solutions Inc.” certificate used for other JAVS binaries, which suggests a potential supply chain attack where a compromised certificate is used to distribute malware disguised as legitimate software. 

VirusTotal Vanguard Certificate Results

Two malicious files, a Windows Installer (SHA1: b8e97333fc1b5cd29a71299a8f82a541cabf4d59) and an fffmpeg.exe (SHA1: b9d13055766d792abaf1d11f18c6ee7618155a0e), were first detected on April 1, 2024, containing a DLL file (SHA1: cd60955033d1da273a3fda61f69d76f6271e7e4c) with a seemingly harmless string “HelloWorld”. 

However, this DLL contains a full PDB path (C:\Users\User\source\repos\Dll2\x64\Debug\Dll2.pdb), indicating poor OpSec practices, as compilation information should be removed before deployment. 

Attackers obtained a certificate in February and used it to sign malicious versions of the JAVS Viewer software, which were served from the official JAVS download page between at least April and May. 

The malware gave attackers remote access to infected systems, as security researchers discovered the attack in May and traced it back to the compromised JAVS downloads page. The attackers were actively updating their infrastructure throughout this period. 

Ffmpeg.exe, a malicious program, was found to make unauthorized remote connections, and after execution, it communicates with a command-and-control server to transmit data like hostnames and OS details. 

Sample Network Traffic Containing Information About the Host

It then establishes a persistent connection to receive commands, while further investigation revealed ffmpeg.exe launching obfuscated PowerShell scripts that attempt to disable security measures and download additional malware. 

Code References to Nuitka

Researchers at Rapid7 discovered malicious behavior within chrome_installer.exe, which drops a Python script and an executable (main.exe) into the user’s temporary folder. 

The script path is dynamically generated using a combination of the process ID and timestamp. Main.exe, compiled from Python code using Nuitka, appears designed to steal browser credentials. 

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here