A Google ad for GIMP took users to a fake phishing website resembling the original one and was serving a 700MB executable laced with the info-stealing VIDAR malware instead of the actual software as recently as last week.
The ad appeared to be legitimate as the URL on display was for the actual GIMP website, gimp.org. However, the ad actually took the user to another domain with a slight change, namely “gilimp.org” which was serving a modified version of GIMP containing VIDAR.
A couple of tricks were being used in this campaign to trick users into downloading VIDAR. Firstly, the actual URL that the ad was pointing to was different from the genuine GIMP website and secondly, the threat actor used a technique called binary padding to artificially inflate the size of the malware from 5MB to 700MB to make the download seem like it was actually GIMP.
The issue was first bought to light on the GIMP subreddit by user ZachIngram04 three days ago and the GIMP team confirmed that this was the first time they’d seen an attack like this. The post author also pointed out that the download button took users to a suspicious Dropbox page that’d download the actual payload.
There are currently two known domains that participated in the campaign, the primary being the aforementioned “gilimp.org” and the second being “gimp.monster”. Both domains have been taken down by the registrar NameSilo, at the time of writing.
Google ads allow publishers to enter two URLs in their ads, a display URL which is shown with the ad and a second landing URL which according to Google is meant for the advertisers to send people to specific parts of their website. The two URLs don’t need to be the same, but there are strict rules defined by Google on how different the URLs can be and both URLs need to have the same domain name.
It’s currently unknown how the threat actor managed to bypass these rules and restrictions defined by Google. Another Reddit user named RawPacket hinted at an IDN homograph attack where the letters in the domain name are replaced with characters from a different character set. The resulting fake domain looks identical to the real one but takes the user to a completely different website.
VIDAR campaign goes on ahead
BleepingComputer was able to obtain a copy of the malware distributed by the campaign and reports it to be the info-stealing trojan VIDAR. The trojan connects to its command-and-control (C2) server back in Russia and can be controlled remotely.
Further investigation of the malware by security researcher oxoLuke revealed that at least, in this case, the trojan also contacts another C2 server at 126.96.36.199 to fetch configurations before going on to download the second payload, a technique commonly used by threat actors to better obfuscate their final malware.
This second-stage payload generally is contained in a ZIP archive with additional DLL files that assist the malware’s capabilities. When deployed fully, VIDAR can steal:
- Browser information including passwords, cookies, history and credit card details.
- Information from any software crypto wallets on the target machine.
- Telegram credentials for Windows.
- FTP file transfer program information.
- Mailing program information.
- Any files according to regex strings sent by the threat actor.
This isn’t the first time VIDAR has been used in domain typosquatting campaigns either previously having targeted over 27 programs in a similar manner including Brave Browser and Microsoft Visual Studio.