In online crime forums, specialization is everything. Enter YTStealer, a new piece of malware that steals credentials from YouTube content creators.
“What sets YTStealer apart from other stealers sold in the Dark Web market is that it focuses solely on collecting credentials for a single service rather than grabbing everything it can get,” wrote Joakim Kennedy, a researcher at security firm Intezer in a blog post on Wednesday. “When it comes to the actual process, it’s very similar to other stealers. The cookies are extracted from the browser’s database files in the user’s profile folder.”
Once the malware obtains a YouTube authentication cookie, it opens a headless browser and connects to YouTube’s Studio page, which content creators use to manage the videos they produce. YTStealer then extracts all available information about the user account, including the account name, number of subscribers, age, and whether channels are monetized.
The malware then encrypts each data sample with a unique key and sends both to a command and control server.
The structure of the YTStealer code and the unique identifier used for each sample leads Intezer to suspect that YTStealer is being sold as a service to other threat actors. Company researchers further noted that files used to install the malware on the victim’s computers steal other credentials, including those called RedLine and Vidar.
Many of the files are disguised as installers for legitimate tools or software. They contain fake installers for:
- OBS Studio, a piece of open source streaming software
- Video editing software including Adobe Premiere Pro, Filmora and HitFilm Express
- Audio applications and plugins such as Antares Auto-Tune Pro, Valhalla DSP, FabFilter Total and Xfer Serum
- Game modes and cheats for games like Grand Theft Auto V† Roblox† counter attackand Duty
- Driver tools such as “Driver Booster” and “Driver Easy”, which consider themselves a means of improving the performance of the game console
- “Cracks” for legitimate software or services, including Norton Security, Malwarebytes, Discord Nitro, Stepn, and Spotify Premium
Hardcoded in the YTStealer is the domain youbot[.]solutions. It is not immediately clear whether the domain is associated with Youbot Solutions LLC, which is registered on the New Mexico Registry of Companies. Attempts to reach the company for comment were unsuccessful.