Until last week, looking up “GIMP” on Google would serve visitors a seemingly legitimate ad, pointing to “GIMP.org,” GNU Image Manipulation Program’s official website.
Displaying GIMP.org as the destination domain added to the illusion of legitimacy, but interacting with the ad would redirect visitors to a phishing website replicating the project.
The rogue page hosted a 700 Mb executable mimicking a GIMP installer that, upon further analysis, proved laced with info-stealing malware. As Reddit user ZachIngram04 pointed out, threat actors initially pushed the fake installer via Dropbox but switched to a replica domain ‘gilimp.org’ to make it seem more genuine.
Perpetrators used a technique known as binary padding to increase the malicious installer’s size from roughly 5 MB to a more believable 700 MB to avoid arousing suspicion from eagle-eyed visitors.
To complicate matters further, while the ad displayed “GIMP.org” as its destination domain, clicking it would redirect visitors to the rogue “gilimp.org” website. Google enforces strict ad policies to prevent exploits, requiring landing page and display URLs to be within the same domain.
"Your ads' URLs should give customers a clear idea of what page they'll arrive at when they click on an ad,” reads Google’s Ads URL policy. “For this reason, Google's policy is that both display and landing page URLs should be within the same website. This means that the display URL in your ad needs to match the domain that visitors land on when they click on your ad."
After analyzing the fake GIMP installer, cybersecurity researchers confirmed that it was cloaking an info-stealing trojan dubbed VIDAR, as BleepingComputer reports. After establishing a connection to a command center (C2), the trojan often attempts to exfiltrate data from compromised systems, including:
Specialized software such as Bitdefender Ultimate Security can protect you against info-stealer malware and other types of e-threats, with features like:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024