A new malware named YTStealer has been on the prowl and it is targeting YouTube content creators. The YTStealer malware attacks YouTube content creators by stealing authentication cookies and hijacking their channels. The malware has been identified by a researcher named Joakim Kennedy of security research firm Intezer.
"In this blog post, we are describing a new malware that we have concluded is highly likely sold as a service on the Dark Web. We have named the malware YTStealer because its sole objective is to steal authentication cookies from YouTube content creators. In June 2020, IntSights released a report on a new trend that they observed. In this trend, threat actors were selling access to YouTube accounts," Kennedy wrote in the blog post.
The researcher has shared one of the many methods threat actors are using to obtain these YouTube accounts.
YTStealer is essentially a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like many other stealers. The first thing it does when it’s executed is to perform some environment checks. This is to detect if the malware is being analysed in a sandbox. The code that performs the checks comes from an open-source project hosted on GitHub called Chacal.
What sets YTStealer aside from other stealers sold on the Dark Web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get hold of.
"When it comes to the actual process, it is very similar to that seen in other stealers. The cookies are extracted from the browser’s database files in the user’s profile folder," Kennedy added.