YTStealer Harvesting YouTube Account Credentials

Category: Malware Intelligence	Type/Family: Stealer Malware	Industry: Media, Entertainment & Marketing	Region: Global

Executive Summary

THREAT	IMPACT	MITIGATION
YTStealer, information stealer targeting YouTube creators to steal authentication cookies. Stolen data allows access and control over YouTube accounts.	Stolen cookies used for logging in without re-entering the credentials. Access to the victim's channel can be used to conduct malware or phishing campaigns.	Use antivirus or malware removal tools. Use trusted sites to download software. Do not rely on cracked versions.

CloudSEK’s contextual AI digital risk platform XVigil has identified an info stealer malware named YTStealer targeting YouTube creators and stealing authentication cookies.
The stealer enables an attacker to gain access to control, modify, and monetize the accounts.
YTStealer impersonates editing software, gaming cheats, or cracks software.

Categories of Impersonation
Software	OBS Studio, Adobe Premiere Pro, FL Studio, Ableton Live, Antares
Gaming Creators	Grand Theft Auto V, cheats for Counter-Strike Go and Call of Duty, Valorant game, or hacks for Roblox
Cracks	Norton Security and Malwarebytes, Discord Nitro and Spotify Premium

YTStealer upon execution uses an open-source tool named Chacal to:
- Run anti-sandbox checks
- Detect if any malware is being analyzed in the sandbox
The malware then uses a tool named Rod to look for YouTube authentication cookies by using one of the installed browsers in headless mode.
The following data is collected:
- YouTube authentication cookies
- YouTube Channel Name
- Monetization Status
- Subscriber Information
- YouTube Studio Status
The YTStealer is frequently dropped alongside other stealers, particularly the Redline and the Vidar Stealer.

YTStealer lures YouTube creators using applications such as Adobe Pro and Filmora.

Stolen data is encrypted and sent to a C2 server associated with the domain name of youbot[.]solutions.
The domain was registered in 2021 and is associated with Youbots Solutions LLC, listed on Google Business, and registered in Mexico.

The stolen data along with Youtube credentials are sold on cybercrime forums.
The stolen authentication cookies can be used to gain access to YouTube channels or accounts to demand ransom from the owner.

Impact	Mitigation
The stolen cookies of the user allow logging in by re-entering the credentials. Access to the victim’s channel can be used to conduct malware or phishing campaigns. The authentication tokens will bypass secured MFA and allow the actor to log into the user’s accounts.	Good antivirus or malware removal tool to detect and clean any infections. Usage of trusted sites to download the software or application.

Based on the results from VirusTotal, the following are the IOCs for YTStealer.

Hashes
132f868aabbd82b36b283f0b6768133b6297de0acd5f47e6cb9a76dc07fd276a
0ceda63f30a539d25356dbf5c2893fb56bb66daec3c1484ca84a18b692639d83
URL
http://pki.goog/gsr1/gsr1.crt
IP Address
149.154.167.99	185.200.191.18