In online crime forums, specialization is everything. Enter YTStealer, a new piece of malware that steals authentication credentials belonging to YouTube content creators.
“What sets YTStealer aside from other stealers sold on the Dark Web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of,” Joakim Kennedy, a researcher at security firm Intezer wrote in a blog post on Wednesday. “When it comes to the actual process, it is very similar to that seen in other stealers. The cookies are extracted from the browser’s database files in the user’s profile folder.”
As soon as the malware obtains a YouTube authentication cookie it opens a headless browser and connects to YouTube’s Studio page, which content creators use to manage the videos they produce. YTStealer then extracts all available information about the user account, including the account name, number of subscribers, age, and whether channels are monetized.
The malware then encrypts each data sample with a unique key and sends both to a command and control server.
The structure of the YTStealer code and the unique identifier used for each sample leads Intezer to suspect that YTStealer is being sold as a service to other threat actors. Company researchers further noticed that files used to install the malware on victim computers loaded other credential stealers, including ones called RedLine and Vidar.
Many of the files are disguised as installers for legitimate tools or software. They included fake installers for:
- OBS Studio, a piece of an open source streaming software
- Video editing software, including Adobe Premiere Pro, Filmora, and HitFilm Express
- Audio applications and plugins such as Antares Auto-Tune Pro, Valhalla DSP, FabFilter Total, and Xfer Serum
- Game modes and cheats for games such as Grand Theft Auto V, Roblox, Counter-Strike, and Call of Duty
- Driver tools such as “Driver Booster” and “Driver Easy,” which bill themselves as a means for improving gaming computer performance
- “Cracks” for legitimate software or services including Norton Security, Malwarebytes, Discord Nitro, Stepn, and Spotify Premium
Hardcoded into the YTStealer is the domain youbot[.]solutions. It’s not immediately clear if the domain is connected to Youbot Solutions LLC, which is registered in the New Mexico registry of corporations. Attempts to reach the company for comment weren’t successful.