A new information-stealing malware has been discovered that is targeting YouTube content creators by stealing their authentication cookies.

The malware – dubbed “YTStealer” – is believed to have been sold as a service on the dark web, and it’s being distributed using fake installers that also drop RedLine Stealer and Vidar.

“What sets YTStealer aside from other stealers sold on the dark web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of,” said security researcher Joakim Kennedy.

The malware works by extracting cookie information from the web browser’s database files in the user’s profile folder. The malware allows attackers to use one of the installed browsers on the infected machine to gather YouTube channel information. To achieve this, attackers launch the browser in headless mode and add the cookie to the data store, followed by using a web automation tool called “Rod” to navigate to the user’s YouTube Studio page that allows creators to “manage your presence, grow your channel, interact with your audience, and make money all in one place.”

From this point, the malware is able to capture information on the channel including its name, number of subscribers, creation date, if it’s monetized, if it’s an official artist channel, and if it’s verified. All of this information is exfiltrated to a remote server carrying the domain name “youbot[.]solutions.”

YTStealer can also use the open-source Chacal “anti-VM framework” in an attempt to thwart debugging and memory analysis.

The domain for YTStealer was registered on December 12, 2021 and is possibly connected to a software company in New Mexico with the same name. The company claims to provide “unique solutions for getting and monetizing targeted traffic.” With that said, the open source intelligence gathered by Intezer has also linked the logo of the supposed company to a user account on an Iranian video-sharing service called Aparat.

A majority of the dropper payloads that delivers YTStealer are packaged under the disguise of installers from legitimate video editing software such as Adobe Premiere Pro or Filmora; audio tools like Ableton Live 11; game mods for Counter-strike: Global Offensive and Call of Duty; and cracked versions of security products.

“YTStealer doesn’t discriminate about what credentials it steals,” Kennedy said. “On the dark web, the ‘quality’ of stolen account credentials influences the asking price, so access to more influential Youtube channels would command higher prices.”

Story via The Hacker News