Contents:
For the past week, upon searching for ‘GIMP’ on Google, visitors would be shown an ad for ‘GIMP.org,’ the official website of the graphics editor. This is where the things would take a turn for the worse: the ad appeared legitimate but clicking it resulted in visitors landing on a lookalike phishing website. The 700 MB executable pretending to be GIMP was in fact malware ready to take on the victim`s devices.
Malvertising via Google Ads
This malvertising campaign drove visitors to a lookalike page delivering a malicious ‘Setup.exe’ that appeared to be the GIMP utility for Windows, replacing a previous method where the malicious ad would lead victims to a Dropbox URL.
To seem more believable and thus convince as many users as possible into downloading the trojanized executable themselves, the threat actor artificially enhanced the malware, so that instead of 5 MB in size, it now appeared as 700 MB. To do so, the threat actors had to apply a technique called binary padding, which in a nutshell means adding junk data to the malware binary to modify its on-disk representation.
Users have also noticed that the Google ad showed the correct ‘GIMP.org’ as the destination domain but clicking it would redirect them to the fake ‘gilimp.org’ site. The explanation for this would be that Google allows the creation of ads with different URLs: one to be shown in the ad, and a landing URL where the user will eventually end up.
The two URLSs don`t have to be the same, but there are strict policies regarding the display URLs, which need to use the same domain as the landing URL.
Your ads’ URLs should give customers a clear idea of what page they’ll arrive at when they click on an ad. For this reason, Google’s policy is that both display and landing page URLs should be within the same website. This means that the display URL in your ad needs to match the domain that visitors land on when they click on your ad.
Knowing this raises the question if there is a possibility the hackers have exploited a bug in Google Ad Manager that allowed the malvertising campaign to happen. Google has yet to give an official statement on this issue.
VIDAR Infostealer Campaigns
BleepingComputer claims to have obtained a copy of the malicious executable and confirm it is an infostealing trojan called VIDAR, which usually attempts to steal from infected machines information consisting of:
- Crypto wallets.
- Telegram account credentials for those used on Windows versions.
- File transfer app data such as FileZilla, WINSCP, or FTP.
- Info related to emails.
- Browser information such as cookies, passwords, browser history, or payment info.
Previously, VIDAR had been deployed via domain typosquatting campaigns using over two hundred fake websites that imitate twenty-seven well-known brands.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
