YouTube content creators are the target of a new data-stealing malware called YTStealer, which aims to snatch their authentication tokens and take over their channels.
An Intezer report that was released yesterday showed that by focusing on just one objective, the developers of YTStealer were able to significantly increase the effectiveness of its token-stealing operation, incorporating sophisticated, diversified schemes.
Because this type of malware focuses on YouTube creators, the majority of its spread uses enticements masquerading as software that edits videos or serves as content for new videos.
Examples of impersonated software that include malicious YTStealer installers are:
- OBS Studio
- Adobe Premiere Pro
- FL Studio
- Ableton Live
- Antares Auto-Tune Pro
In other instances targeting gaming content creators, YTStealer is posing as:
- mods for Grand Theft Auto
- cheats for Counter-Strike Go and Call of Duty
- hacks for Roblox
In addition, security experts have noticed cracks and token generators for Discord Nitro and Spotify Premium that contain the new malware.
The tech firm claims that YTStealer is commonly packed up with other information stealers like the notorious RedLine and Vidar. As a result, it is mainly considered to be a specialized “bonus” that is dropped alongside malware that focuses on password theft from a wider range of software.
What Can YTStealer Do?
As explained by BleepingComputer, the information-stealing malware performs several anti-sandbox verifications before running on the machine, using the open-source Chacal tool. If the compromised computer is determined to be a legitimate target, the malware carefully examines the browser SQL database files to look for YouTube authentication tokens.
After that, it verifies them by starting the web browser in headless mode and adding the stolen cookie to its store. If it’s legitimate, YTStealer also gathers additional data, including the name of the YouTube channel, how many subscribers it has, when it was created, whether it’s monetized, and whether it’s an official artist channel.
Launching the web browser in headless mode conceals the entire operation from the victim, who will not observe anything unusual unless they examine their running processes.
The info-stealer controls the browser with a library called Rod, which is extensively used for web automation and scraping. Thus, the attacker does not manually intervene in the YouTube channel information exfiltration process.
What Happens with the Stolen Accounts?
According to Intezer, the stolen YouTube accounts are available for sale on the dark web and their prices vary depending on the size of the channel. It goes without saying that the more popular and influential a YouTube channel is, the more expensive it will be to buy on dark web markets.
The purchasers of those accounts commonly use the stolen authentication cookies to hijack YouTube channels for cryptocurrency scams or to ask for a ransom from legitimate owners.
This poses a significant risk to YouTube content creators because even if their accounts are protected by MFA, the authentication tokens will still enable cybercriminals to access their accounts.
In conclusion, YouTube creators are recommended to log out of their accounts on a regular basis to invalidate all authentication tokens that may have previously been created or stolen.