Vidar stealer is back and has a new target: this time, the Mastodon social media network is being abused in a fresh malicious campaign. The goal is C2 configuration achievement without being noticed.
Vidar Stealer: How It Works
The Vidar stealer’s activity origins can be traced back to 2018, playing its role in several campaigns since then. It has stood the test of time, due to its efficiency and its inexpensive character, as it can be easily sourced for $150 via Telegram or malicious forums.
The way Vidar stealer abuses Mastodon is what really attracts attention, as it compromises the social media network for C2 connectivity and dynamic configuration achievement.
And this happens this way, as BleepingComputer describes:
Firstly, hackers create Mastodon accounts. In the description section, the IP’s C2 will be mentioned. They aim at making communication secure between the abused machine and the source of configuration. Because of the under-moderated space of the platform, these profiles will go undetected. According to Cyberprint researchers, every C2 showed from 500 to 1500 various campaign IDs. After the execution happens, it sends a POST request for configuration purposes. Vidar stealer uses some GET requests to bring in DLL functions (6