Bad actors are abusing large, open-registration, low-moderation Mastodon instances in order to provide direction to the Vidar Stealer trojan horse, which steals passwords, credit card details, bitcoin wallets, etc.

If you run a large, open-registration, low-moderation instance, please consider changing at least one of those qualities.

To add additional clarity on how this works:

1) Bad actor sets up Mastodon accounts with the IP of the site the trojan horse should use to get its data, assuming that because of open registration and nobody regularly reviewing new accounts that don't post objectionable content, they won't get kicked off.
2) Bad actor sets up their copy of the Vidar Stealer trojan to track those Mastodon accounts.
3) Bad actor tries to trick people into installing their trojan horse with the usual tricks (fake download sites, attachments in emails, etc.)
4) The trojan horse looks at those Mastodon accounts to get the IP address it should check to download its payload.

Mastodon itself is not a delivery vector for this trojan horse; the accounts simply exist to provide a trusted source for information for an already-infected computer. You do not have to worry about getting a virus from Mastodon!

@noelle @Talloran My stomach sunk and I was terrified until I read "dll"
Is this windows only?
So I'm safe?

@ocean I think this is Windows-only, but I'm not an expert on the trojan; please don't take what I say as Truth.

@noelle @ocean this is a C2 channel analysis (command and control) - the Trojan doesn't affect masto users

so you don't have to worry about it

essentially it's using tooting as a form of inter-machine communication, typically you set up servers to handle this sort of role, but most network security services will instantly freak out if they see a request to a weird IP or dng'd url, but a standard ssl request to seems more legit
@Dashtop @noelle @ocean many network firewalls block the standard tor ports precisely for that reason

@noelle odds that mr eu "website boy" gen will do nothing about this: basically 100%.

hope you're getting a kickback in bitcoin slot games for it at least, gag ron

@noelle does anyone know how this even work? Putting a scan command in a random profile should do anything execpt the target is already infected and opens this random profile?! :nkoThink:

@rick That's exactly correct. The Mastodon profile simply provides direction to the infected computer, and the owner of the Trojan horse knows which profile(s) to program into it.

@noelle Wow! Putting the unobfuscated IP of the C2 in the profile's description is a hawkish stance.

@noelle How is anyone supposed to find these *unless* you follow the trail from the malware itself? Seems a bit unfair to blame Mastodon servers here

@Gargron @noelle i think you (the generic you, as an admin) can mitigate the attack surface by limiting the amount of time such an account is live, for example by
- disabling open registration
- increasing moderation and review of new accounts
- limiting the user base to a manageable amount

it's not necessarily blaming servers, but these accounts are absolutely findable and the above strategies help to find them more quickly.

@trwnh @noelle That’s far from practical for everyone. You know that if someone creates an empty/innocent looking profile there’s no way to tell that’s it’s somehow used for a nefarious purpose.

@Gargron It's a pretty straightforward concept that if you keep registration wide open, bad actors will set up shop. Whether the attack seems obvious to you or not is frankly irrelevant, bad actors are consistently seeking out open and unmoderated servers to spread their attack, so clearly it's working.

This is kind of like allowing a spammer to use your webmail server to send emails and not understanding why people want you to ban the spammer.

@Sandrockcstm It's more like, people want you to find when someone signs up for your e-mail server and coordinates malware attacks by having his malware connect to the smtp server and read something from an e-mail draft that never gets sent somewhere. We're not talking about refusing to ban someone after they get reported for this.


Except we are?

"The idea is to secure communications from the compromised machine to the configuration source, and since Mastodon is a trusted platform, it shouldn’t raise any red flags with security tools. At the same time, Mastodon a relatively under-moderated space so these malicious profiles are unlikely to be spotted, reported, and removed."

The entire reason this works is that Mastodon is considered trusted and often unmoderated. That's the only way this attack works.

@noelle I'm guessing as it's a trojan it's still dependent on the victim actively following the IP?

Or does it somehow execute on its own? :blobtilt:

@Jo The example I've seen for this trojan is as a wrapper for an otherwise-valid VPN software; the trojan installs the VPN but also installs itself in the process, so it can run in the background.

@noelle In the end, all open-posting places can be used for something like that, and moderation doesn't necessarily help.
Relevant data could be embedded stenographically into legit-looking posts and extracted by trojan clients. But of course not needing to do this reduces the implementation complexity for the trojan devs.


Thanks, good read. I'll look into the methods they use and see if there is something we can do.


@noelle thanks for the info, I'll go through registrations and look out for that.

Sign in to participate in the conversation
Hic quoque abibit.

Just Ellie (and perhaps some of her toys).