YTStealer Harvesting YouTube Account Credentials

XVigil has identified an info stealer malware named YTStealer targeting YouTube creators and stealing authentication cookies. The stealer enables an attacker to gain access to control, modify, and monetize the accounts.
Updated on
April 19, 2023
Published on
July 20, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Malware Intelligence Type/Family: Stealer Malware Industry: Media, Entertainment & Marketing Region: Global

Executive Summary

THREAT IMPACT MITIGATION
  • YTStealer, information stealer targeting YouTube creators to steal authentication cookies.
  • Stolen data allows access and control over YouTube accounts.
  • Stolen cookies used for logging in without re-entering the credentials.
  • Access to the victim's channel can be used to conduct malware or phishing campaigns.
  • Use antivirus or malware removal tools.
  • Use trusted sites to download software.
  • Do not rely on cracked versions.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil has identified an info stealer malware named YTStealer targeting YouTube creators and stealing authentication cookies.
  • The stealer enables an attacker to gain access to control, modify, and monetize the accounts.
  • YTStealer impersonates editing software, gaming cheats, or cracks software.
Categories of Impersonation
Software OBS Studio, Adobe Premiere Pro, FL Studio, Ableton Live, Antares
Gaming Creators Grand Theft Auto V, cheats for Counter-Strike Go and Call of Duty, Valorant game, or hacks for Roblox
Cracks Norton Security and Malwarebytes, Discord Nitro and Spotify Premium

Working of the YTStealer

  • YTStealer upon execution uses an open-source tool named Chacal to:
    • Run anti-sandbox checks
    • Detect if any malware is being analyzed in the sandbox
  • The malware then uses a tool named Rod to look for YouTube authentication cookies by using one of the installed browsers in headless mode.
  • The following data is collected:
    • YouTube authentication cookies
    • YouTube Channel Name
    • Monetization Status
    • Subscriber Information
    • YouTube Studio Status
  • The YTStealer is frequently dropped alongside other stealers, particularly the Redline and the Vidar Stealer.

Delivery Mechanism

  • YTStealer lures YouTube creators using applications such as Adobe Pro and Filmora.

Data Exfiltration

  • Stolen data is encrypted and sent to a C2 server associated with the domain name of youbot[.]solutions.
  • The domain was registered in 2021 and is associated with Youbots Solutions LLC, listed on Google Business, and registered in Mexico.

Monetization

  • The stolen data along with Youtube credentials are sold on cybercrime forums.
  • The stolen authentication cookies can be used to gain access to YouTube channels or accounts to demand ransom from the owner.

Impact & Mitigation

Impact Mitigation
  • The stolen cookies of the user allow logging in by re-entering the credentials.
  • Access to the victim’s channel can be used to conduct malware or phishing campaigns.
  • The authentication tokens will bypass secured MFA and allow the actor to log into the user’s accounts.
  • Good antivirus or malware removal tool to detect and clean any infections.
  • Usage of trusted sites to download the software or application.

Indicators of Compromise (IoCs)

Based on the results from VirusTotal, the following are the IOCs for YTStealer.
Hashes
132f868aabbd82b36b283f0b6768133b6297de0acd5f47e6cb9a76dc07fd276a
0ceda63f30a539d25356dbf5c2893fb56bb66daec3c1484ca84a18b692639d83
URL
http://pki.goog/gsr1/gsr1.crt
IP Address
149.154.167.99 185.200.191.18

References

Appendix

[caption id="attachment_20039" align="aligncenter" width="639"]Open-source tool named Chacal Open-source tool named Chacal[/caption]   [caption id="attachment_20040" align="aligncenter" width="1196"]Open-source tool named Rod Open-source tool named Rod[/caption]   [caption id="attachment_20041" align="aligncenter" width="483"]YOUBOT listed on Google Business YOUBOT listed on Google Business[/caption]   [caption id="attachment_20042" align="aligncenter" width="716"]YouTube credentials on sale YouTube credentials on sale[/caption] [caption id="attachment_20043" align="aligncenter" width="1920"]VirusTotal analysis VirusTotal analysis[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations