YouTube video producers are the target of a new data-stealing spyware called YTStealer, which aims to steal their authentication keys and take over their channels.
It is strange that YTStealer exists in a market where numerous info-stealers vie for cybercriminals’ attention and that it has such a narrow emphasis.
Intezer’s research, released today, claims that by concentrating on just one objective, the creators of YTStealer were able to develop very successful token-stealing techniques.
concentrating on YouTube content producers
The majority of the YTStealer malware‘s spread relies on lures imitating software that alters videos or serves as content for new channels because it targets YouTube creators.
OBS Studio, Adobe Premiere Pro, FL Studio, Ableton Live, Antares Auto-Tune Pro, and Filmora are a few examples of imitated programmes that contain harmful YTStealer installations.
In other instances, YTStealer impersonates Grand Theft Auto V mods, Call of Duty and Counter-Strike Go cheats, the Valorant game, or Roblox hacks in order to target game developers.
The researchers also discovered new viruses in cracks and token generators for Spotify Premium and Discord Nitro.
Intezer claims that YTStealer is frequently combined with other information thieves including the infamous RedLine and Vidar.Since it targets password stealing from a wider range of software, it is typically viewed as a specialised “extra” distributed alongside malware.
Prior to running on the host, the YTStealer virus performs various anti-sandbox checks utilising the free Chacal utility.
The malware carefully examines the browser SQL database files to look for YouTube authentication tokens if it determines that the infected machine is a legitimate target.
Then, after adding the stolen cookie to its store, it launches the web browser in headless mode to validate them.If it’s legitimate, YTStealer also gathers extra data like:
- YouTube channel name
- Subscriber count
- Creation date
- Monetization status
- Official artist channel status
The target wouldn’t notice anything odd until they closely examined their running processes, therefore by starting the web browser in headless mode, the entire operation becomes stealthy.
YTStealer uses the Rod library, a tool used for web automation and scraping, to control the browser.As a result, the threat actor doesn’t manually intervene in the information exfiltration from the YouTube channel.
Selling accounts on the dark web
Fully automated, YTStealer steals all YouTube accounts, regardless of how big or tiny they are, and then lets its operators analyse their haul.
According to Intezer, charges for the stolen YouTube accounts vary based on the number of channels they have.It goes without saying that a YouTube channel will cost more to buy on dark web markets the bigger and more popular it is.
The buyers of those accounts commonly utilise the stolen authentication cookies to either demand a ransom from the legitimate owners of YouTube channels or hijack the channels for various cryptocurrency scams.
This poses a significant risk to YouTube content producers since, even if their accounts are protected by MFA, the authentication tokens will still allow threat actors to access their accounts.
It is advised that YouTube producers log out of their accounts periodically to invalidate any previously created or stolen authentication tokens.