Executive Summary

Analysis and Attribution

• CloudSEK’s contextual AI digital risk platform XVigil has identified an info stealer malware named YTStealer targeting YouTube creators and stealing authentication cookies.
• The stealer enables an attacker to gain access to control, modify, and monetize the accounts.
• YTStealer impersonates editing software, gaming cheats, or cracks software.

Working of the YTStealer

• YTStealer upon execution uses an open-source tool named Chacal to:
  • Run anti-sandbox checks
  • Detect if any malware is being analyzed in the sandbox
• The malware then uses a tool named Rod to look for YouTube authentication cookies by using one of the installed browsers in headless mode.
• The following data is collected:
  • YouTube authentication cookies
  • YouTube Channel Name
  • Monetization Status
  • Subscriber Information
  • YouTube Studio Status
• The YTStealer is frequently dropped alongside other stealers, particularly the Redline and the Vidar Stealer.

Delivery Mechanism

• YTStealer lures YouTube creators using applications such as Adobe Pro and Filmora.

Data Exfiltration

• Stolen data is encrypted and sent to a C2 server associated with the domain name of youbot[.]solutions.
• The domain was registered in 2021 and is associated with Youbots Solutions LLC, listed on Google Business, and registered in Mexico.

Monetization

• The stolen data along with Youtube credentials are sold on cybercrime forums.
• The stolen authentication cookies can be used to gain access to YouTube channels or accounts to demand ransom from the owner.

Impact & Mitigation

Indicators of Compromise (IoCs)

References

• ^#Traffic Light Protocol - Wikipedia
• YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom” - Intezer
• VirusTotal - File - 132f868aabbd82b36b283f0b6768133b6297de0acd5f47e6cb9a76dc07fd276a
• Hashes to YTStealer
• YTStealer Malware - Malware removal instructions (updated) (pcrisk.com)

Appendix