Rogue GIMP Google Ad Pushed Info-Stealer Malware Through Website Replica

Until last week, looking up “GIMP” on Google would serve visitors a seemingly legitimate ad, pointing to “GIMP.org,” GNU Image Manipulation Program’s official website.

Displaying GIMP.org as the destination domain added to the illusion of legitimacy, but interacting with the ad would redirect visitors to a phishing website replicating the project.

The rogue page hosted a 700 Mb executable mimicking a GIMP installer that, upon further analysis, proved laced with info-stealing malware. As Reddit user ZachIngram04 pointed out, threat actors initially pushed the fake installer via Dropbox but switched to a replica domain ‘gilimp.org’ to make it seem more genuine.

Perpetrators used a technique known as binary padding to increase the malicious installer’s size from roughly 5 MB to a more believable 700 MB to avoid arousing suspicion from eagle-eyed visitors.

To complicate matters further, while the ad displayed “GIMP.org” as its destination domain, clicking it would redirect visitors to the rogue “gilimp.org” website. Google enforces strict ad policies to prevent exploits, requiring landing page and display URLs to be within the same domain.

"Your ads' URLs should give customers a clear idea of what page they'll arrive at when they click on an ad,” reads Google’s Ads URL policy. “For this reason, Google's policy is that both display and landing page URLs should be within the same website. This means that the display URL in your ad needs to match the domain that visitors land on when they click on your ad."

After analyzing the fake GIMP installer, cybersecurity researchers confirmed that it was cloaking an info-stealing trojan dubbed VIDAR, as BleepingComputer reports. After establishing a connection to a command center (C2), the trojan often attempts to exfiltrate data from compromised systems, including:

• Crypto wallets
• Browser data such as cookies, passwords, credit card details and history
• Information from mailing and file transfer applications
• System information (RAM, CPU)
• Lists of files on the system
• Screenshots

Specialized software such as Bitdefender Ultimate Security can protect you against info-stealer malware and other types of e-threats, with features like:

• Continuous real-time protection against viruses, worms, Trojans, spyware, rootkits, zero-day exploits, ransomware and other cyberthreats
• Network threat-prevention module that detects and blocks suspicious network-level activities, including malware, brute force attacks, exploits and botnet-related URLs
• Behavioral detection technology that monitors active apps and takes instant action upon detecting suspicious activity
• Web attack prevention that warns you about potentially harmful websites and blocks known infected links
• Anti-phishing module that detects and blocks websites masquerading as trustworthy to steal your data