Pierluigi Paganini
June 30, 2022
Intezer cybersecurity researchers have detailed a new information-stealing malware, dubbed YTStealer, that was developed to steal authentication cookies from YouTube content creators.
The malware is highly likely available as a service on the Dark Web. Upon executing the malware, it performs some environment checks to avoid being executed in a sandbox. YTStealer borrows the code that performs the checks comes from an open-source project hosted on GitHub called Chacal.
“If YTStealer finds authentication cookies for YouTube, it does something interesting though. To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store.” reads the post published by Intezer. “By starting the web browser in headless mode, the malware can operate the browser as if the threat actor sat down on the computer without the current user noticing anything. To control the browser, the malware uses a library called Rod. Rod provides a high-level interface to control browsers over the DevTools Protocol and markets itself as a tool for web automation and scraping.”
YTStealer uses the Using the web browser to navigate to YouTube’s Studio page which is used by content creators to manage their content. Once gained access to the YouTube studio, the malware grabs information about the user’s channels, including the channel name, the number of subscribers, their creation date, its verification status and if it is monetized. The malware encrypts all the data with a key that is unique for each sample and sends it along with a sample identifier to the C2 server located at the domain name youbot[.]solutions.
This domain was registered on December 12, 2021, the domain name links it to an American corporation with the name of “YOUBOT SOLUTIONS LLC” which claims to provide “unique solutions for getting and monetizing targeted traffic.”
“The business listing has a logo of an eye in a red circle. A Google image search using the icon returned some results with the same image. All the results were under the domain aparat[.]com. Aparat is an Iranian video-sharing site that was founded in 2011. The image matched was used as a profile picture for a user on the site. The profile page provided a link to a Twitter account.” continues the report.
The analysis of the files that either dropped or downloaded the YTStealer samples revealed that most of them don’t just drop the YTStealer. The droppers are also loaded with other stealers, including RedLine and Vidar stealers.
A lot of the droppers are disguised as installers for legitimate video editing software, such as Adobe Premiere Pro, Filmora, and HitFilm Express; audio tools like Ableton Live 11 and FL Studio; game mods for Counter-Strike: Global Offensive and Call of Duty; and cracked versions of security products.
“Someone always has a way of monetizing data. When it comes to stolen YouTube authentication data, we haven’t analyzed how it’s being monetized in the next step of the chain. One potential option could be to defraud the subscribers of channels. When it comes to how this malware is infecting the victims, we can see a trend. Most of the fake installers used were for cracked versions of legitimate software. We also saw fake installers for mods and cheats for games.” concludes the report. “When it comes to how to protect yourself, the classic security practice should be applied. Only use software from trusted sources.”
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, YTStealer)
[adrotate banner=”5″]
[adrotate banner=”13″]
