A new information-stealing malware named YTStealer is targeting YouTube content creators and attempting to steal their authentication tokens and hijack their channels.
In a space where multiple info-stealers compete for the attention of cybercriminals, the existence of YTStealer and its extremely narrow focus is peculiar.
According to a report published today by Intezer, focusing on one goal has given YTStealer’s authors the capacity to make its token-stealing operation very effective, incorporating advanced, specialized tricks.
Targeting YouTube content creators
Since the YTStealer malware targets YouTube creators, most of its distribution uses lures impersonating software that edits videos or acts as content for new videos.
Examples of impersonated software that contain malicious YTStealer installers include OBS Studio, Adobe Premiere Pro, FL Studio, Ableton Live, Antares Auto-Tune Pro, and Filmora.
In other cases targeting gaming content creators, YTStealer is impersonating mods for Grand Theft Auto V, cheats for Counter-Strike Go and Call of Duty, the Valorant game, or hacks for Roblox.
The researchers also spotted cracks and token generators for Discord Nitro and Spotify Premium carrying the new malware.
According to Intezer, YTStealer is typically bundled with other information-stealers such as the infamous RedLine and Vidar. As such, it is mostly treated as a specialized “bonus” dropped alongside malware that targets password theft from a broader scope of software.
YTStealer functionality
The YTStealer malware runs some anti-sandbox checks before executing in the host, using the open-source Chacal tool for this purpose.
If the infected machine is deemed a valid target, the malware scrutinizes the browser SQL database files to locate YouTube authentication tokens.
Next, it validates them by launching the web browser in headless mode and adding the stolen cookie to its store. If it’s valid, YTStealer also collects additional information such as:
- YouTube channel name
- Subscriber count
- Creation date
- Monetization status
- Official artist channel status
Launching the web browser in headless mode makes the whole operation stealthy to the victim, who wouldn’t notice anything strange unless they scrutinize their running processes.
To control the browser, YTStealer uses a library called Rod, a utility widely used for web automation and scraping. Hence, the YouTube channel information exfiltration happens without manual intervention from the threat actor.
Accounts sold on the dark web
YTStealer is fully automated and doesn’t discriminate between small or large YouTube accounts, stealing all of them and letting its operators evaluate their catch later.
Intezer believes the stolen YouTube accounts are sold on the dark web, with prices depending on the channel size. Obviously, the larger and more influential a YouTube channel, the more expensive it will be to purchase on dark web markets.
The buyers of those accounts typically use these stolen authentication cookies to hijack YouTube channels for various scams, usually cryptocurrency, or demand a ransom from the actual owners.
This is particularly dangerous for YouTube content creators because even if their accounts are secure with multi-factor authentication, the authentication tokens will bypass MFA and allow the threat actors to log into their accounts.
Therefore, it is suggested that YouTube creators log out of their accounts periodically to invalidate all authentication tokens that may have previously been created or stolen.
