November 22, 2024

Cybersecurity researchers have documented a new information-stealing malware that targets YouTube content creators by plundering their authentication cookies.

Dubbed “YTStealer” by Intezer, the malicious tool is likely believed to be sold as a service on the dark web, with it distributed using fake installers that also drop RedLine Stealer and Vidar.

“What sets YTStealer aside from other stealers sold on the dark web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of,” security researcher Joakim Kenndy said in a report shared with The Hacker News.

The malware’s modus operandi, however, mirrors its counterparts in that it extracts the cookie information from the web browser’s database files in the user’s profile folder. The reasoning given behind targeting content creators is that it uses one of the installed browsers on the infected machine to gather YouTube channel information.

It achieves this by launching the browser in headless mode and adding the cookie to the data store, followed by using a web automation tool called Rod to navigate to the user’s YouTube Studio page, which enables content creators to “manage your presence, grow your channel, interact with your audience, and make money all in one place.”

From there, the malware captures information about the user’s channels, including the name, the number of subscribers, and its creation date, alongside checking if it’s monetized, an official artist channel, and if the name has been verified, all of which is exfiltrated to a remote server carrying the domain name “youbot[.]solutions.”

Another notable aspect of YTStealer is its use of the open-source Chacal “anti-VM framework” in an attempt to thwart debugging and memory analysis.

Further analysis of the domain has revealed that it was registered on December 12, 2021, and that it’s possibly connected to a software company of the same name that’s located in the U.S. state of New Mexico and claims to provide “unique solutions for getting and monetizing targeted traffic.”

That said, open-source intelligence gathered by Intezer has also linked the logo of the supposed company to a user account on an Iranian video-sharing service called Aparat.

A majority of the dropper payloads delivering YTStealer together with RedLine Stealer are packaged under the guise of installers for legitimate video editing software such as Adobe Premiere Pro, Filmora, and HitFilm Express; audio tools like Ableton Live 11 and FL Studio; game mods for Counter-Strike: Global Offensive and Call of Duty; and cracked versions of security products.

“YTStealer doesn’t discriminate about what credentials it steals,” Kenndy said. “On the dark web, the ‘quality’ of stolen account credentials influences the asking

price, so access to more influential Youtube channels would command higher prices.”