Category: Malware Intelligence | Type/Family: Stealer Malware | Industry: Media, Entertainment & Marketing | Region: Global |
---|
Executive Summary
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
Analysis and Attribution
- CloudSEK’s contextual AI digital risk platform XVigil has identified an info stealer malware named YTStealer targeting YouTube creators and stealing authentication cookies.
- The stealer enables an attacker to gain access to control, modify, and monetize the accounts.
- YTStealer impersonates editing software, gaming cheats, or cracks software.
Categories of Impersonation | |
---|---|
Software | OBS Studio, Adobe Premiere Pro, FL Studio, Ableton Live, Antares |
Gaming Creators | Grand Theft Auto V, cheats for Counter-Strike Go and Call of Duty, Valorant game, or hacks for Roblox |
Cracks | Norton Security and Malwarebytes, Discord Nitro and Spotify Premium |
Working of the YTStealer
- YTStealer upon execution uses an open-source tool named Chacal to:
- Run anti-sandbox checks
- Detect if any malware is being analyzed in the sandbox
- The malware then uses a tool named Rod to look for YouTube authentication cookies by using one of the installed browsers in headless mode.
- The following data is collected:
- YouTube authentication cookies
- YouTube Channel Name
- Monetization Status
- Subscriber Information
- YouTube Studio Status
- The YTStealer is frequently dropped alongside other stealers, particularly the Redline and the Vidar Stealer.
Delivery Mechanism
- YTStealer lures YouTube creators using applications such as Adobe Pro and Filmora.
Data Exfiltration
- Stolen data is encrypted and sent to a C2 server associated with the domain name of youbot[.]solutions.
- The domain was registered in 2021 and is associated with Youbots Solutions LLC, listed on Google Business, and registered in Mexico.
Monetization
- The stolen data along with Youtube credentials are sold on cybercrime forums.
- The stolen authentication cookies can be used to gain access to YouTube channels or accounts to demand ransom from the owner.
Impact & Mitigation
Impact | Mitigation |
---|---|
|
|
Indicators of Compromise (IoCs)
Based on the results from VirusTotal, the following are the IOCs for YTStealer.Hashes | |
---|---|
132f868aabbd82b36b283f0b6768133b6297de0acd5f47e6cb9a76dc07fd276a | |
0ceda63f30a539d25356dbf5c2893fb56bb66daec3c1484ca84a18b692639d83 | |
URL | |
http://pki.goog/gsr1/gsr1.crt | |
IP Address | |
149.154.167.99 | 185.200.191.18 |
References
- #Traffic Light Protocol - Wikipedia
- YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom” - Intezer
- VirusTotal - File - 132f868aabbd82b36b283f0b6768133b6297de0acd5f47e6cb9a76dc07fd276a
- Hashes to YTStealer
- YTStealer Malware - Malware removal instructions (updated) (pcrisk.com)
Appendix




