BleepingComputer reports that threat actors have been spreading the Vidar info-stealing malware through a malicious ad for the GNU Image Manipulation Program, which redirects to a phishing website impersonating the legitimate GIMP.org website.
Searching for 'GIMP' in Google until last week would yield a Google ad leading to the phishing site, which facilitates the delivery of a malicious executable 'Setup.exe'. Binary padding has been leveraged by attackers to make the malware file, which is under 5 MB in size, seem like a 700 MB file.
Distribution of the Vidar info-stealer has been discovered by BleepingComputer to involve 'Setup.exe' file's retrieval of the 'Htcnwiij.bmp' file from a Russia-based URL, with the file being a DLL for malware execution. Second stage payloads are being downloaded by the Setup file after communicating with its command-and-control server. Vidar then proceeds to exfiltrate browser data, cryptocurrency wallets, mailing application data, file transfer application details, and Telegram credentials for Windows.
Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer.
Sixty thousand emails from U.S. State Department accounts were noted by a staffer working for Sen. Eric Schmitt, R-Mo., to have been exfiltrated by Chinese threat actors during the widespread compromise of Microsoft email accounts that commenced in May, according to Reuters.