Security researchers have found threat actors using unofficial versions of popular messaging apps to deliver malware. The campaign involves using a malicious Pidgin plugin and an unofficial fork of the Signal app.
Analysis of the malicious plugin called ScreenShare-OTR revealed that it contained keylogging code and sent screenshots back to its operators. The plugin did add its intended functionality of providing screen sharing over the off-the-record (OTR) protocol. However, it also allowed its operators to download and run a PowerShell script that installed the DarkGate malware. The Linux version of the malware had similar functionality.
The Pidgin app’s developers have already issued a statement providing more details on the malicious plugin and warning users to stay away. The plugin has been removed, and Pidgin has promised to take steps to prevent further incursions.
ESET security researchers demonstrated that the plugin contained malicious code to download and execute binaries from an attacker-controlled command and control (C2) server. “It went unnoticed at the time that the plugin was not providing any source code and was only providing binaries for download,” adds the statement issued by Pidgin.
As for the unofficial Signal fork, the app in question is called Cradle. It isn’t sponsored or associated with Signal in any way, and contacting the press and general support emails results in delivery failure notifications. ESET researchers spotted the same backdoor found in the malicious Pidgin plugin being used in the app, which markets itself as an “anti-forensic messaging software.”
While the forked app’s source code is partially available on GitHub, the actual app is built using different code, including malicious code that was also found in the malicious ScreenShare-OTR plugin. It’s also signed with the same valid security certificate originating from a Polish company and also had capabilities to deploy DarkGate on victim devices.
In the News: TRAI directs to block messages with links, app files or phone numbers