Media, Entertainment & Marketing
- YTStealer, information stealer targeting YouTube creators to steal authentication cookies.
- Stolen data allows access and control over YouTube accounts.
- Stolen cookies used for logging in without re-entering the credentials.
- Access to the victim's channel can be used to conduct malware or phishing campaigns.
- Use antivirus or malware removal tools.
- Use trusted sites to download software.
- Do not rely on cracked versions.
Analysis and Attribution
- CloudSEK’s contextual AI digital risk platform XVigil has identified an info stealer malware named YTStealer targeting YouTube creators and stealing authentication cookies.
- The stealer enables an attacker to gain access to control, modify, and monetize the accounts.
- YTStealer impersonates editing software, gaming cheats, or cracks software.
|Categories of Impersonation
||OBS Studio, Adobe Premiere Pro, FL Studio, Ableton Live, Antares
||Grand Theft Auto V, cheats for Counter-Strike Go and Call of Duty, Valorant game, or hacks for Roblox
||Norton Security and Malwarebytes, Discord Nitro and Spotify Premium
Working of the YTStealer
- YTStealer upon execution uses an open-source tool named Chacal to:
- Run anti-sandbox checks
- Detect if any malware is being analyzed in the sandbox
- The malware then uses a tool named Rod to look for YouTube authentication cookies by using one of the installed browsers in headless mode.
- The following data is collected:
- YouTube authentication cookies
- YouTube Channel Name
- Monetization Status
- Subscriber Information
- YouTube Studio Status
- The YTStealer is frequently dropped alongside other stealers, particularly the Redline and the Vidar Stealer.
- YTStealer lures YouTube creators using applications such as Adobe Pro and Filmora.
- Stolen data is encrypted and sent to a C2 server associated with the domain name of youbot[.]solutions.
- The domain was registered in 2021 and is associated with Youbots Solutions LLC, listed on Google Business, and registered in Mexico.
- The stolen data along with Youtube credentials are sold on cybercrime forums.
- The stolen authentication cookies can be used to gain access to YouTube channels or accounts to demand ransom from the owner.
Impact & Mitigation
- The stolen cookies of the user allow logging in by re-entering the credentials.
- Access to the victim’s channel can be used to conduct malware or phishing campaigns.
- The authentication tokens will bypass secured MFA and allow the actor to log into the user’s accounts.
- Good antivirus or malware removal tool to detect and clean any infections.
- Usage of trusted sites to download the software or application.
Indicators of Compromise (IoCs)
Based on the results from VirusTotal, the following are the IOCs for YTStealer.
[caption id="attachment_20039" align="aligncenter" width="639"]
Open-source tool named Chacal[/caption]
[caption id="attachment_20040" align="aligncenter" width="1196"]
Open-source tool named Rod[/caption]
[caption id="attachment_20041" align="aligncenter" width="483"]
YOUBOT listed on Google Business[/caption]
[caption id="attachment_20042" align="aligncenter" width="716"]
YouTube credentials on sale[/caption]
[caption id="attachment_20043" align="aligncenter" width="1920"]