How Google Ads For GIMP's Official Website Exposed PCs To Malware

One method threat actors use to distribute malware is known as SEO poisoning, with SEO standing for search engine optimization. SEO poisoning leverages various SEO techniques, such as filling a webpage’s source code with tons of keywords, to raise a malicious website’s ranking within the search results. If a threat actor manages to game the search results in this way and place a malicious website near the top of the search results, users may visit the malicious website and download malware without realizing it. However, this newly discovered malware campaign demonstrates that threat actors don’t need to employ SEO tactics to place a malicious website at the top of the search results if they can instead pay Google to do that for them.

However, rather than sending users to the official GIMP website, the ad instead sent users to a malicious copy of the GIMP website at a misspelled domain name. Most likely, the contextual advertisement was actually submitted to Google by a threat actor, rather than someone on the GIMP development team.
Initially, users who clicked on the download button on the malicious website were sent to Dropbox to download an executable file named “Setup.exe.” After uploading this file to VirusTotal and discovering that it contained malware, the Reddit user who discovered the scheme reported the ad to Google as malicious, prompting the company to terminate the ad.
The GIMP for Windows download buttons on this webpage fetch the malicious Setup.exe file from the Discord content deliver network (CDN), while redirecting users to the tutorials page on the official GIMP website. This updated download process appears more trustworthy than a random Dropbox download page, but the downloaded file is equally as malicious. Running this executable file installs the RedLine stealer malware, which collects valuable information from infected systems, then uploads it to a command-and-control (C2) server operated by threat actors.
In order to avoid being fooled by a scheme like this one, users should check domain names in the address bar before downloading software to make sure they are visiting legitimate websites. Many software developers also provide hash values on their websites, which users can check against the hash value of downloaded files before running them to verify the integrity of the downloaded files. In the case of this fake GIMP campaign, the threat actor simply copied the official GIMP website almost verbatim, leaving the correct hash value on the download page. Anyone who checked the malicious executable file against the hash value listed on the website would find that the sums don’t match, indicating that he file isn’t legitimate. Checking hash values may seem like a tedious extra step, but it really can save you from unknowingly installing malware on your systems.