YTStealer is a new info-stealer on the block targeting YouTube content creators to steal authentication tokens and take over their channels.
Automated security intelligence solutions provider Intezer reported that new information-stealing malware, dubbed YTStealer, targets YouTube channels. The malware can steal authentication cookies and entirely focuses on hijacking YouTube channels, whether it is an influencer or a newbie channel, small or large.
After harvesting credentials, the attacker can do whatever they want to. Resultantly, high-value accounts are usually put out for sale or compromised further to distribute malware to other users. Surprisingly, YTStealer has such a narrow focus as it only tries to steal YouTuber channel tokens, making this operation so effective.
Intezer researchers explained that YTStealer is bundled with other info-stealers like Vidar or RedLine as a bonus. The additional malware is dropped with YTStealer to broaden its scope.
The malware first performs anti-sandbox checks using the Chacal open-source tool before executing in the host. If the infected device is deemed appropriate, YTStealer inspects the browser database files for locating YouTube channels’ authentication tokens. For validating them, the malware launches the web browser in headless mode to keep the entire operation hidden from the victim and adds the stolen cookie to its store.
If found valid, the malware collects more data, including the channel name, creation date, subscriber count, official artist channel status, and monetization details. The malware uses the Rod library to control the browser. This shows how the attackers exfiltrate information from YouTube channels without manual intervention.
More YouTube Security News
- Botnet found using YouTube to illegally mine cryptocurrency
- YouTube deletes 2 million channels and 51 million videos over scams
- Google details cookie stealer malware campaign targeting YouTubers
- YouTube scammers impersonated Elon Musk, SpaceX; stole $150k in BTC
- Significant increase in demand for stolen YouTube credentials on the dark web
Prime Targets: YouTube Content Creators
According to Intezer’s blog post, YTStealer malware only targets YouTube content creators; therefore, its primary lure is impersonating video editing software or content provider for new videos, such as OBS Studio, FL Studio, Adobe Premiere Pro, Ableton Live, Filmora, and Antares Auto-Tune Pro.
In other cases, where YTStealer specifically targets gaming content creators, it impersonates Grand Theft Auto V mods, the game Valorant, Counter-Strike Go and Call of Duty cheats, or Roblox hacks. Furthermore, the researchers detected token generators and cracks for Spotify Premium and Discord Nitro infected with malware.
Hijacked Channels Are Sold on the Dark Web
This malware is fully automated, and the stolen YouTube accounts are sold on the Dark Web. Prices are determined per the channel’s size, so the larger and more influential channels are more expensive.
Furthermore, buyers of these channels use the stolen authentication cookies to hijack the channel and demand ransom from the original owners or launch cryptocurrency scams. Even if the account is MFA protected, the authentication tokens can bypass that, and the attackers can easily log in to the account.
It is suggested that YouTube content creators periodically log out of their accounts to invalidate the authentication tokens.