YouTube creators’ accounts hijacked with cookie-stealing malware

A Cookie Theft malware was employed in phishing attacks against YouTube creators, Google’s Threat Analysis Group (TAG) warns.

Financially motivated threat actors are using Cookie Theft malware in phishing attacks against YouTube creators since late 2019. According to Google’s Threat Analysis Group (TAG) researchers, who spotted the campaign, the attacks were launched by multiple hack-for-hire actors recruited on Russian-speaking forums. Below are the job descriptions used to recruit the hackers.

The hackers used fake collaboration opportunities (i.e. a demo for anti-virus software, VPN, music players, photo editing or online games) to hijack the channel of YouTube creators. Once hijacked the channel, attackers either sell it to the highest bidder or employ it in cryptocurrency scam scheme.

Hijacked channels ranged from $3 USD to $4,000 USD depending on the number of subscribers.

The malware landing page is disguised as a software download URL that was sent via email or a PDF on Google Drive, or via Google documents containing the phishing links. The researchers identified around 15,000 actor accounts, most of which were created for this campaign.

Experts also observed the attackers driving targets to messaging apps like WhatsApp, Telegram or Discord because Google is able to neutralize phishing attempts via Gmail,

Upon running the fake software, a cookie stealing malware will be executed. The malware steals the browser cookies from the infected machine and sends them to C2 servers. Experts noticed that all the malware involved in this campaign runs in a non-persistent mode.

Some of the malicious codes used in this campaign are RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad, and Kantal, along with open-source malware like Sorano and AdamantiumThief.

Once delivered on the targets’ systems, the malware was used to steal their credentials and browser cookies which allowed the attackers to hijack the victims’ accounts in pass-the-cookie attacks.

“While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics,” said Ashley Shen, a TAG Security Engineer.

“Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking. A few were observed displaying a fake error message requiring user click-through to continue execution.” reads the analysis published by Google TAG.

Google shared its findings with the FBI and shared Indicators of Compromise for this campaign.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, YouTube creators)

[adrotate banner=”5″]

[adrotate banner=”13″]