YTStealer Harvesting YouTube Account Credentials

Summary

XVigil has identified an info stealer malware named YTStealer targeting YouTube creators and stealing authentication cookies. The stealer enables an attacker to gain access to control, modify, and monetize the accounts.
 
Category: Malware Intelligence Type/Family: Stealer Malware Industry: Media, Entertainment & Marketing Region: Global

Executive Summary

THREAT IMPACT MITIGATION
  • YTStealer, information stealer targeting YouTube creators to steal authentication cookies.
  • Stolen data allows access and control over YouTube accounts.
  • Stolen cookies used for logging in without re-entering the credentials.
  • Access to the victim's channel can be used to conduct malware or phishing campaigns.
  • Use antivirus or malware removal tools.
  • Use trusted sites to download software.
  • Do not rely on cracked versions.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil has identified an info stealer malware named YTStealer targeting YouTube creators and stealing authentication cookies.
  • The stealer enables an attacker to gain access to control, modify, and monetize the accounts.
  • YTStealer impersonates editing software, gaming cheats, or cracks software.
Categories of Impersonation
Software OBS Studio, Adobe Premiere Pro, FL Studio, Ableton Live, Antares
Gaming Creators Grand Theft Auto V, cheats for Counter-Strike Go and Call of Duty, Valorant game, or hacks for Roblox
Cracks Norton Security and Malwarebytes, Discord Nitro and Spotify Premium

Working of the YTStealer

  • YTStealer upon execution uses an open-source tool named Chacal to:
    • Run anti-sandbox checks
    • Detect if any malware is being analyzed in the sandbox
  • The malware then uses a tool named Rod to look for YouTube authentication cookies by using one of the installed browsers in headless mode.
  • The following data is collected:
    • YouTube authentication cookies
    • YouTube Channel Name
    • Monetization Status
    • Subscriber Information
    • YouTube Studio Status
  • The YTStealer is frequently dropped alongside other stealers, particularly the Redline and the Vidar Stealer.

Delivery Mechanism

  • YTStealer lures YouTube creators using applications such as Adobe Pro and Filmora.

Data Exfiltration

  • Stolen data is encrypted and sent to a C2 server associated with the domain name of youbot[.]solutions.
  • The domain was registered in 2021 and is associated with Youbots Solutions LLC, listed on Google Business, and registered in Mexico.

Monetization

  • The stolen data along with Youtube credentials are sold on cybercrime forums.
  • The stolen authentication cookies can be used to gain access to YouTube channels or accounts to demand ransom from the owner.

Impact & Mitigation

Impact Mitigation
  • The stolen cookies of the user allow logging in by re-entering the credentials.
  • Access to the victim’s channel can be used to conduct malware or phishing campaigns.
  • The authentication tokens will bypass secured MFA and allow the actor to log into the user’s accounts.
  • Good antivirus or malware removal tool to detect and clean any infections.
  • Usage of trusted sites to download the software or application.

Indicators of Compromise (IoCs)

Based on the results from VirusTotal, the following are the IOCs for YTStealer.
Hashes
132f868aabbd82b36b283f0b6768133b6297de0acd5f47e6cb9a76dc07fd276a
0ceda63f30a539d25356dbf5c2893fb56bb66daec3c1484ca84a18b692639d83
URL
http://pki.goog/gsr1/gsr1.crt
IP Address
149.154.167.99 185.200.191.18

References

Appendix

Open-source tool named Chacal
Open-source tool named Chacal
 
Open-source tool named Rod
Open-source tool named Rod
 
YOUBOT listed on Google Business
YOUBOT listed on Google Business
 
YouTube credentials on sale
YouTube credentials on sale
VirusTotal analysis
VirusTotal analysis
 

Table of Contents

Request an easy and customized demo for free