Malware targeting YouTube creators has become significantly more rampant nowadays.
Researchers in the field of cybersecurity have discovered a new piece of malware designed to steal sensitive information and target YouTube content creators by stealing their authentication cookies.
The malicious tool, which has been given the name "YTStealer" by Intezer, is thought to be offered for sale as a service on the dark web.
IntSights published a report in June 2020 discussing a new trend that they had noticed and analyzed.
Within the context of this pattern, threat actors were selling access to user accounts on YouTube.
It was named YTStealers since the malware's goal is to steal authentication cookies from YouTube content creators.
It is spread through the use of fake installers that also distribute RedLine Stealer and Vidar.
Malware Attacks on YouTube Channels
Since YouTube creators are the target of YTStealer malware, the majority of its distribution is carried out through lures that impersonate software that edits videos or serves as content for new videos.
The YTStealers malware disguises itself as Ableton Live, Adobe Premiere Pro, Filmora, OBS Studio, FL Studio, and Antares Auto-Tune Pro. Furthermore, the installer for the malware is also in popular games like Valorant, Call of Duty, Counter-Strike Go, and Grand Theft Auto V.
The malware is masked in all of those programs in an attempt to successfully lure YouTube content creators.
In addition, cracks and token generators for Discord Nitro and Spotify Premium were found to both carry the new malware, which was discovered by the researchers.
According to BleepingComputer, YTStealer is a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like many other stealers.
YTStealer is typically packaged with a number of other information-stealing programs, like the notorious RedLine and Vidar.
As a result of this, it is most commonly regarded as a specialized "bonus" that is deposited together with malware that targets the theft of passwords from a wider scope of software.
How YTStealer Works?
The malware operates by extracting the cookies from the browser's database files, which are stored in the user's profile folder.
Intezer explains that "To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store."
Intezer reports that opening the web browser in headless mode makes the entire procedure stealthy for the victim.
The victims will not notice anything out of the ordinary unless they pay close attention to the processes that are running on their computer.
YTStealer makes use of a library known as Rod to manage the browser. Rod is a utility that is frequently utilized for web automation and scraping.
As a result, information from the targeted YouTube channel is exfiltrated without requiring any intervention on their part manually.
It then collects information such as the channel name, how long the channel has been, when it was created, the number of subscribers, whether it is monetized, whether it is an official artist channel, and whether the name has been verified.
All data is encrypted with a key that is unique to each sample and sent to the command and control (C2) server, which is located at the domain name youbot[.]solutions.
Related Article: YouTube Vanced Shutdown Theories: Will the Ad-Blocking App Return?