BleepingComputer reports that threat actors have been spreading the Vidar info-stealing malware through a malicious ad for the GNU Image Manipulation Program, which redirects to a phishing website impersonating the legitimate GIMP.org website.
Searching for 'GIMP' in Google until last week would yield a Google ad leading to the phishing site, which facilitates the delivery of a malicious executable 'Setup.exe'. Binary padding has been leveraged by attackers to make the malware file, which is under 5 MB in size, seem like a 700 MB file.
Distribution of the Vidar info-stealer has been discovered by BleepingComputer to involve 'Setup.exe' file's retrieval of the 'Htcnwiij.bmp' file from a Russia-based URL, with the file being a DLL for malware execution. Second stage payloads are being downloaded by the Setup file after communicating with its command-and-control server. Vidar then proceeds to exfiltrate browser data, cryptocurrency wallets, mailing application data, file transfer application details, and Telegram credentials for Windows.
The deal will add another prominent cybersecurity company to Cisco’s portfolio. In the past eight months alone, the company has acquired email and AI cybersecurity firm Armorblox, cloud security firm Lightspin and network security business Valtix.