Cybersecurity researchers have documented a brand new information-stealing malware that targets YouTube content material creators by plundering their authentication cookies.
Dubbed “YTStealer” by Intezer, the malicious device is probably going believed to be bought as a service on the darkish internet, with it distributed utilizing faux installers that additionally drop RedLine Stealer and Vidar.
“What units YTStealer apart from different stealers bought on the darkish internet market is that it’s solely targeted on harvesting credentials for one single service as a substitute of grabbing all the things it could possibly get ahold of,” safety researcher Joakim Kenndy stated in a report shared with The Hacker Information.
The malware’s modus operandi, nevertheless, mirrors its counterparts in that it extracts the cookie info from the online browser’s database information within the person’s profile folder. The reasoning given behind focusing on content material creators is that it makes use of one of many put in browsers on the contaminated machine to collect YouTube channel info.
It achieves this by launching the browser in headless mode and including the cookie to the info retailer, adopted through the use of an internet automation device referred to as Rod to navigate to the person’s YouTube Studio web page, which allows content material creators to “handle your presence, develop your channel, work together along with your viewers, and generate income multi function place.”
From there, the malware captures details about the person’s channels, together with the identify, the variety of subscribers, and its creation date, alongside checking if it is monetized, an official artist channel, and if the identify has been verified, all of which is exfiltrated to a distant server carrying the area identify “youbot[.]options.”
One other notable side of YTStealer is its use of the open-source Chacal “anti-VM framework” in an try and thwart debugging and reminiscence evaluation.
Additional evaluation of the area has revealed that it was registered on December 12, 2021, and that it is probably linked to a software program firm of the identical identify that is positioned within the U.S. state of New Mexico and claims to supply “distinctive options for getting and monetizing focused site visitors.”
That stated, open-source intelligence gathered by Intezer has additionally linked the emblem of the supposed firm to a person account on an Iranian video-sharing service referred to as Aparat.
A majority of the dropper payloads delivering YTStealer along with RedLine Stealer are packaged beneath the guise of installers for reputable video modifying software program resembling Adobe Premiere Professional, Filmora, and HitFilm Categorical; audio instruments like Ableton Reside 11 and FL Studio; recreation mods for Counter-Strike: International Offensive and Name of Obligation; and cracked variations of safety merchandise.
“YTStealer would not discriminate about what credentials it steals,” Kenndy stated. “On the darkish internet, the ‘high quality’ of stolen account credentials influences the asking value, so entry to extra influential Youtube channels would command greater costs.”
