New YTStealer malware aims to hijack accounts of YouTube content creators


Cybersecurity researchers have documented a new information-stealing malware that targets YouTube content creators by looting their authentication cookies.

Dubbed “YTStealer” by Intezer, it is likely that the malicious tool is sold as a service on the dark web, where it is distributed using fake installers that also drop RedLine Stealer and Vidar.

“What sets YTStealer apart from other stealers sold in the dark web market is that it focuses solely on collecting credentials for a single service rather than grabbing everything it can get,” security researcher Joakim Kenndy said in a statement. report shared with The Hacker News.

However, the malware’s modus operandi mirrors its counterparts in that it extracts the cookie information from the web browser’s database files located in the user’s profile folder. The rationale behind targeting content creators is that it uses one of the browsers installed on the infected machine to collect YouTube channel information.

It achieves this by launching the browser in headless mode and adding the cookie to the data store followed by using a web automation tool called Fishing rod to go to the user’s YouTube Studio page, who makes it possible content creators to “manage your presence, grow your channel, interact with your audience, and monetize, all in one place.”

From there, the malware collects information about the user’s channels, including name, subscriber count, and creation date, in addition to checking whether they are monetized, an official artist channel, and whether the name has been verified, all of which are exfiltrated to a remote server with the domain name “youbot[.]solutions.”

Another notable aspect of YTStealer is its use of the open-source chacal “anti-VM framework” in an effort to thwart debugging and memory analysis.

Further analysis of the domain has shown that the registered on December 12, 2021, and that it may be related to a software company of the same name which is located in the US state of New Mexico and claims to provide “unique solutions to get targeted traffic and monetize it”.

That said, open source information collected by Intezer has also linked the alleged company’s logo to a user account on an Iranian video-sharing service called Aparat.

A majority of the dropper payloads provided by YTStealer along with RedLine Stealer are packaged under the guise of installers for legitimate video editing software such as Adobe Premiere Pro, Filmora, and HitFilm Express; audio tools such as Ableton Live 11 and FL Studio; game mods for Counter-Strike: Global Offensive and Call of Duty; and cracked versions of security products.

“YTStealer doesn’t discriminate about which credentials it steals,” Kenndy said. “On the dark web, the ‘quality’ of stolen account information affects the asking price, so access to more influential YouTube channels would drive higher prices.”