Security experts have discovered a brand-new piece of malware that targets YouTube content makers and steals their authentication cookies. The malicious software, dubbed “YTStealer” by Intezer, is probably thought to be offered as a service on the dark web and is spread through phony installers that also distribute RedLine Stealer and Vidar.
“What sets YTStealer aside from other stealers sold on the dark web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of,” security researcher Joakim Kenndy said in a report.
However, the malware’s mode of operation is the same as that of its predecessors in that it harvests cookie data from database files stored by the web browser in the user’s profile folder. Because it exploits one of the installed browsers on the infected laptop to acquire YouTube channel information, this malware targets content producers. A web automation tool called Rod is then used to navigate to the user’s YouTube Studio page, which allows content creators to “manage your presence, grow your channel, interact with your audience, and make money all in one place.” This is accomplished by launching the browser in headless mode and adding the cookie to the data store.
The malware then exfiltrates the user’s channel information to a remote server with the domain name “youbot[.]solutions,” including the title, the number of subscribers, and the channel’s creation date, as well as determining whether the channel is monetized, an official artist channel, and whether the name has been verified. Another noteworthy feature of YTStealer is its usage of the Chacal open-source “anti-VM framework” to impede memory analysis and debugging.
According to further investigation, the domain was registered on December 12, 2021. It may be related to a software firm with the same name based in the U.S. state of New Mexico and advertises that it offers “unique solutions for getting and monetizing targeted traffic.” However, open-source information acquired by Intezer has also connected the fictitious company’s logo to a user account on the Iranian video-sharing website Aparat.
Most dropper payloads carrying YTStealer and RedLine Stealer are disguised as installations for respectable video editing software like Adobe Premiere Pro, Filmora, and HitFilm Express; game mods for Counter-Strike: Global Offensive and Call of Duty; audio tools like Ableton Live 11 and FL Studio; and cracked variants of security products.