Threat Management

Vidar info-stealer distributed via spoofed GIMP site

Share

BleepingComputer reports that threat actors have been spreading the Vidar info-stealing malware through a malicious ad for the GNU Image Manipulation Program, which redirects to a phishing website impersonating the legitimate GIMP.org website. Searching for 'GIMP' in Google until last week would yield a Google ad leading to the phishing site, which facilitates the delivery of a malicious executable 'Setup.exe'. Binary padding has been leveraged by attackers to make the malware file, which is under 5 MB in size, seem like a 700 MB file. Distribution of the Vidar info-stealer has been discovered by BleepingComputer to involve 'Setup.exe' file's retrieval of the 'Htcnwiij.bmp' file from a Russia-based URL, with the file being a DLL for malware execution. Second stage payloads are being downloaded by the Setup file after communicating with its command-and-control server. Vidar then proceeds to exfiltrate browser data, cryptocurrency wallets, mailing application data, file transfer application details, and Telegram credentials for Windows.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.