The Pidgin messaging app eliminated the ScreenShareOTR plugin from its official third-party plugin record after it was found that it was used to put in keyloggers, data stealers, and malware generally used to realize preliminary entry to company networks.
The plugin was promoted as a screen-sharing software for safe Off-The-Report (OTR) protocol and was accessible for each Home windows and Linux variations of Pidgin.
In response to ESET, the malicious plugin was configured to contaminate unsuspecting customers with DarkGate malware, a strong malware risk actors use to breach networks since QBot’s dismantling by the authorities.
Sneaky Pidgin plugin
Pidgin is an open-source, cross-platform immediate messaging shopper that helps a number of networks and messaging protocols.
Though not as common as within the mid-2000s when multi-protocol shoppers have been in excessive demand, it stays a well-liked alternative amongst these in search of to consolidate their messaging accounts right into a single app and has a devoted consumer base of tech-savvy people, open-source fans, and customers who want to hook up with legacy IM methods.
Pidgin operates a plugin system that permits customers to increase this system’s performance, allow area of interest options, and unlock new customization choices.
Customers can obtain them from the venture’s official third-party plugins record, at present internet hosting 211 addons.
In response to an announcement on the venture’s web site final week, a malicious plugin named ‘ss-otr’ had slipped into the record on July 6, 2024, and was solely pulled on August 16 following a consumer report about it being a keylogger and screenshot capturing software.
We quietly pulled the plugin from the list immediately and started investigating. On August 22nd Johnny Xmas was able to confirm that a keylogger was present.” – Pidgin
A pink flag is that ss-otr solely supplied binaries for obtain and never any supply code, however because of the lack of strong reviewing mechanisms in Pidgin’s third-party plugin repository, no person questioned its safety.
Plugin results in DarkGate malware
ESET reviews the plugin installer is signed with a sound digital certificates issued to INTERREX – SP. Z O.O., a reputable Polish firm.
Supply: ESET
The plugin gives the marketed performance of display screen sharing but in addition accommodates malicious code, permitting it to obtain extra binaries from the attacker’s server at jabberplugins[.]internet.
The downloaded payloads are both PowerShell scripts or the DarkGate malware, which can be signed by an Interrex certificates.
An identical mechanism is carried out for the Linux model of the Pidgin shopper, so each platforms are lined.
ESET says that the identical malicious server, which has been taken down now, hosted extra plugins named OMEMO, Pidgin Paranoia, Grasp Password, Window Merge, and HTTP File Add.
These plugins have been virtually actually additionally delivering DarkGate, indicating that ScreenShareOTR was only one small a part of a broader-scale marketing campaign.
Supply: ESET
Pidgin has not supplied obtain stats for ss-otr, so the variety of victims is unknown.
Those that put in it are beneficial to take away it instantly and carry out a full system scan with an antivirus software, as DarkGate could also be lurking on their system.
To stop comparable incidents from occurring sooner or later, Pidgin introduced that, to any extent further, it is going to solely settle for third-party plugins which have an OSI Authorised Open Supply License, permitting scrutiny into their code and inside performance.
