Cybersecurity researchers have documented a brand new information-stealing malware that targets YouTube content material creators by plundering their authentication cookies.
Dubbed “YTStealer” by Intezer, the malicious instrument is probably going believed to be offered as a service on the darkish net, with it distributed utilizing faux installers that additionally drop RedLine Stealer and Vidar.
“What units YTStealer apart from different stealers offered on the darkish net market is that it’s solely centered on harvesting credentials for one single service as a substitute of grabbing all the things it might get ahold of,” safety researcher Joakim Kenndy stated in a report shared with The Hacker Information.
The malware’s modus operandi, nevertheless, mirrors its counterparts in that it extracts the cookie data from the net browser’s database information within the consumer’s profile folder. The reasoning given behind focusing on content material creators is that it makes use of one of many put in browsers on the contaminated machine to collect YouTube channel data.
It achieves this by launching the browser in headless mode and including the cookie to the information retailer, adopted by utilizing an online automation instrument referred to as Rod to navigate to the consumer’s YouTube Studio web page, which permits content material creators to “handle your presence, develop your channel, work together along with your viewers, and become profitable multi functional place.”
From there, the malware captures details about the consumer’s channels, together with the title, the variety of subscribers, and its creation date, alongside checking if it is monetized, an official artist channel, and if the title has been verified, all of which is exfiltrated to a distant server carrying the area title “youbot[.]options.”
One other notable side of YTStealer is its use of the open-source Chacal “anti-VM framework” in an try and thwart debugging and reminiscence evaluation.
Additional evaluation of the area has revealed that it was registered on December 12, 2021, and that it is presumably related to a software program firm of the identical title that is positioned within the U.S. state of New Mexico and claims to offer “distinctive options for getting and monetizing focused visitors.”
That stated, open-source intelligence gathered by Intezer has additionally linked the brand of the supposed firm to a consumer account on an Iranian video-sharing service referred to as Aparat.
A majority of the dropper payloads delivering YTStealer along with RedLine Stealer are packaged underneath the guise of installers for reputable video enhancing software program similar to Adobe Premiere Professional, Filmora, and HitFilm Categorical; audio instruments like Ableton Dwell 11 and FL Studio; recreation mods for Counter-Strike: World Offensive and Name of Responsibility; and cracked variations of safety merchandise.
“YTStealer does not discriminate about what credentials it steals,” Kenndy stated. “On the darkish net, the ‘high quality’ of stolen account credentials influences the asking
worth, so entry to extra influential Youtube channels would command increased costs.”
