YTStealer, a new information-stealing malware, is targeting YouTube content creators and attempting to steal their authentication tokens and hijack their channels.
Focusing on one goal has given YTStealer’s authors the capacity to make its token-stealing operation very effective, according to a report published earlier this week by Intezer.
Most of its distribution uses lures impersonating software that edits videos or acts as content for new videos, targeting YouTube creators.
Examples of impersonated software that contains malicious YTStealer installers include Adobe premiere Pro, Ableton Live, and Filmora.
YTStealer also targets gaming content creators by impersonating mods for Grand Theft Auto V, cheats for Call of Duty and Counter-Strike Go, or hacks for Roblox.
The researchers also spotted cracks and token generators for Spotify Premium and Discord Nitro carrying the new malware.
YTStealer is typically used in conjunction with other information-stealers like RedLine and Vidar, according to Intezer. It is mostly treated as a specialised “bonus” dropped alongside malware that targets password theft from a broader scope of software.
Using the open-source Chacal tool, the malware runs some anti-sandbox checks before executing in the host.
If the infected machine is deemed a valid target, the malware scrutinises the browser SQL database files to locate YouTube authentication tokens.
It validates them by launching the web browser in headless mode and adding the stolen cookie to its store. If it is valid, YTStealer also collections additional information, including YouTube channel names, creation dates, and the monetisation status of the channels.
Victims wouldn’t notice anything strange happening whilst the malware runs unless they scrutinised their running processes.
To control the browser, YTStealer uses a library called Rod, a utility widely used for web automation and scraping. No manual intervention is needed from the threat actor.
YTStealer is wholly automated and doesn’t discriminate between large or small YouTube accounts, stealing as much as it can and letting its operators evaluate their catch later.
Intezer states that it believes the stolen YouTube accounts are sold on the dark web, with prices varying depending on the channel size.
The buyers of those accounts typically use these stolen authentication cookies to hijack YouTube channels for various scams, usually cryptocurrency based, and/or demanding ransoms from the actual owners.
This is worrying and dangerous for YouTube content creators because their accounts can appear secure due to processes like multi-factor authentication, however the authentication tokens will bypass MFA and allow threat actors to log into all their accounts.
It is suggested that YouTube creators log out of all their accounts from time to time to invalidate all authentication tokens that may have previously been stolen or created.