Intezer researchers have discovered a new malware, YTStealer, designed to steal information and target YouTubers, i.e. YouTube content creators.
The malware steals authentication cookies, which can then be used to hijack other people’s feeds.
You might also be interested to know what Hacked Software Hunters May Be Victims of FakeCrack Malware Campaign.
Intezer specialists write that compared to other infostealers, YTStealer and its extremely narrow focus look very unusual. Since YTStealer is aimed exclusively at YouTubers, its distribution uses appropriate lures that mimic video editing software or popular games.
For example, YTStealer installers can mask as OBS Studio, Adobe Premiere Pro, FL Studio, Ableton Live, Antares Auto-Tune Pro and Filmora, as well as Grand Theft Auto V mods, Counter-Strike Go and Call of Duty cheats, the game Valorant or hacks for Roblox. Cracks and token generators for Norton Security, Malwarebytes, Discord Nitro, Stepn, and Spotify Premium have also been found containing this malware.
Interestingly, YTStealer usually comes bundled with other infostealers, including the well-known RedLine and Vidar. It seems that YTStealer is mostly seen by attackers as a kind of “bonus” distributed along with other malware to steal credentials.
After infiltrating the system, the malware carefully checks the SQL database files in the browser in search of YouTube authentication tokens. YTStealer then checks them by running the browser in headless mode and adding the stolen cookies to its storage. If the tokens are valid, YTStealer will collect additional information about the victim:
- YouTube channel name;
- number of subscribers;
- creation date;
- monetization status;
- whether the channel has an official artist status.
To control the browser, YTStealer uses the Rod library, which is widely used for web automation and scraping. As a result, the extraction of information about the YouTube channel occurs without the direct intervention of an attacker.
YTStealer is fully automated in stealing data from both large and small YouTube channels, allowing its operators to evaluate the “catch” later. Intezer analysts believe that the stolen YouTube accounts are then sold on the dark web, with the price directly related to the size of the channel. Obviously, the larger and more influential the channel, the more expensive it will cost on the black market.
Buyers of such accounts usually use stolen cookies to take over other people’s channels and commit various fraudulent activities (for example, promoting a cryptocurrency scam), and may also demand a ransom from the real owner.
The researchers emphasize that YTStealer does pose a big threat to YouTubers, because even if their accounts are protected by multi-factor authentication, the stolen tokens will bypass the MFA. Experts advise YouTube content creators to periodically log out of their accounts so that any authentication tokens that may have been created and stolen earlier become invalid.