In a significant cybersecurity development, the popular instant messaging client Pidgin has removed the ScreenShareOTR plugin from its official repository. This action comes after the discovery that the plugin was being used to distribute keyloggers, infostealers, and other malicious software typically employed for initial access to corporate networks.
The ScreenShareOTR Deception
ScreenShareOTR was marketed as a solution for secure screen sharing using the Off-The-Record (OTR) protocol. Available for both Windows and Linux versions of Pidgin, the plugin appeared legitimate at first glance. However, security analysts at ESET uncovered its true nature: a vehicle for deploying the DarkGate malware, a tool cybercriminals have increasingly turned to since the takedown of the QBot infrastructure by authorities.
Timeline of Events and Discovery
The compromised plugin was added to Pidgin’s official third-party plugin list on July 6, 2024. It wasn’t until August 16 that the Pidgin team received reports of the plugin containing a keylogger and transmitting screenshots to unauthorized parties. The plugin was promptly removed, and an investigation was launched. By August 22, cybersecurity specialist Johnny Xmas confirmed the presence of the keylogger.
Exploitation of Trust and Lack of Verification
The incident highlights a critical vulnerability in Pidgin’s plugin system. Despite only providing binaries and not source code, the ScreenShareOTR plugin was accepted without scrutiny due to the absence of robust verification mechanisms. This oversight allowed the malicious code to masquerade as a legitimate plugin for over a month.
Technical Analysis of the Malware
ESET’s investigation revealed that the plugin installer was signed with a valid digital certificate from a real Polish company, INTERREX – SP.Z O.O. This signature lent an air of legitimacy to the malicious software. The installer contained code designed to download additional binaries from a command-and-control server at jabberplugins[.]net.
The payload delivered by the compromised plugin varied between PowerShell scripts and the DarkGate malware, both signed with the Interrex certificate. This sophisticated approach demonstrates the attackers’ commitment to evading detection and maintaining persistence on infected systems.
Broader Implications and Additional Compromised Plugins
Further investigation uncovered that the same malicious server hosted other potentially compromised Pidgin plugins, including OMEMO, Pidgin Paranoia, Master Password, Window Merge, and HTTP File Upload. Experts believe these plugins were likely part of a larger campaign to distribute DarkGate, with ScreenShareOTR being just one component of a more extensive operation.
Recommendations for Affected Users
Users who have installed the ScreenShareOTR plugin or any of the other potentially compromised plugins are strongly advised to take immediate action. This includes removing the plugins and conducting a thorough system scan using up-to-date antivirus software to detect and remove any DarkGate infections.
This incident serves as a stark reminder of the importance of robust security practices in software distribution channels. It underscores the need for stringent verification processes, even for trusted platforms like Pidgin. As cyber threats continue to evolve, users and developers alike must remain vigilant and prioritize security at every level of software development and distribution.