Threat actors have been observed delivering malware to instant messaging application users, including through a malicious Pidgin plugin and an unofficial fork of the Signal app.
The developers of the Pidgin messaging app informed users on August 22 that they had become aware that a malicious plugin named ScreenShare-OTR (ss-otr) had made it onto the official third-party plugins list.
An analysis revealed that the plugin contained keylogging code and shared screenshots with its operators. The plugin was removed and Pidgin has promised to take steps to prevent future incidents.
“It went unnoticed at the time that the plugin was not providing any source code and was only providing binaries for download,” Pidgin developers said.
An analysis conducted by cybersecurity firm ESET showed that the Pidgin plugin contained malicious code designed to download and execute binaries from an attacker-controlled server.
As advertised, the plugin provided screen sharing functionality over the off-the-record (OTR) messaging protocol, and its installer was signed with a valid certificate issued to a Polish company.
However, the plugin also enabled its operators to download and execute a PowerShell script and a malware known as DarkGate. The Linux version of the plugin had similar functionality.
ESET’s investigation into the site from where the malicious payloads were downloaded showed that it had been set up to appear like a plugin repository, offering plugins such as OMEMO, Pidgin Paranoia, Window Merge, Master Password, and HTTP File Upload.
One day later, ESET informed customers that the backdoor found in the malicious Pidgin plugin was also spotted in Cradle, which is advertised as an “anti-forensic messaging software”.
Cradle is an open source fork of the Signal application, but it is not sponsored by or related to Signal Messenger or the Signal Foundation. SecurityWeek has attempted to contact Cradle developers on press and general support email addresses, but received delivery failure notifications for both.
ESET determined that while the forked source code is partially available on GitHub, the application is actually built using different code and includes the malicious code that was also present in the ScreenShare-OTR plugin.
The malicious Cradle app is signed with the same certificate and it’s also designed to download scripts that deploy the DarkGate malware. According to ESET, DarkGate has been used to steal credentials, log keystrokes, and to provide remote desktop capabilities. A Linux version of the malicious Cradle app is also available.
ESET has shared indicators of compromise (IoCs) for both the malicious Pidgin plugin and the Cradle app.
Related: New Banshee Stealer macOS Malware Priced at $3,000 Per Month
Related: Chinese Hackers Deliver Malware via ISP-Level DNS Poisoning
