Google Threat Analysis Group (TAG) has recently uncovered a new information-stealing malware, named 'YTStealer' that is targeting YouTube content creators by stealing their authentication cookies. Malicious actors sold breached data as a service on the dark web using fake installers that also drop RedLine Stealer and Vidar.
"What sets YTStealer aside from other stealers sold on the dark web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of," security researcher Joakim Kenndy said in a report shared by the blog post on Wednesday.
As per the research, the malware extracts YouTube authentication cookie information from the web browser's database files in the user's profile folder; then it opens a headless browser and connects to YouTube’s Studio page, which is used by content creators to control the content of the videos they produce.
Further, the malware steals all available personal data of users including the account name, number of subscribers, age, and whether channels are monetized. Following this, it encrypts all data samples with a unique key and sends both to a command and control server.
The files' names which disguised as installers for legitimate tools or software:
- OBS Studio, a piece of open-source streaming software
- Audio applications and plugins such as Antares Auto-Tune Pro, Valhalla DSP, FabFilter Total, and Xfer Serum
- Video editing software, including Adobe Premiere Pro, Filmora, and HitFilm Express
- Game modes and cheats for games such as Grand Theft Auto V, Roblox, Counter-Strike, and Call of Duty
- “Cracks” for legitimate software or services including Norton Security, Malwarebytes, Discord Nitro, Stepn, and Spotify Premium Driver tools such as “Driver Booster” and “Driver Easy
The researchers also discovered that the files used to install the malware on targeted devices loaded with other credential stealers, including RedLine and Vidar, Predator The Thief, Masad, Nexus stealer, Azorult, Vikro Stealer, Raccoon, Grand Stealer, and Kantal, along with open-source malware like Sorano and AdamantiumThief.
