YouTube content creator credentials are under siege by YTStealer malware

In on-line crime boards, specialization is every part. Enter YTStealer, a brand new piece of malware that steals authentication credentials belonging to YouTube content material creators.

“What units YTStealer other than different stealers bought on the Darkish Net market is that it’s solely targeted on harvesting credentials for one single service as a substitute of grabbing every part it may well get ahold of,” Joakim Kennedy, a researcher at safety agency Intezer wrote in a blog post on Wednesday. “Relating to the precise course of, it is vitally much like that seen in different stealers. The cookies are extracted from the browser’s database recordsdata within the person’s profile folder.”

As quickly because the malware obtains a YouTube authentication cookie it opens a headless browser and connects to YouTube’s Studio web page, which content material creators use to handle the movies they produce. YTStealer then extracts all accessible details about the person account, together with the account identify, variety of subscribers, age, and whether or not channels are monetized.

The malware then encrypts every knowledge pattern with a singular key and sends each to a command and management server.

The construction of the YTStealer code and the distinctive identifier used for every pattern leads Intezer to suspect that YTStealer is being bought as a service to different risk actors. Firm researchers additional seen that recordsdata used to put in the malware on sufferer computer systems loaded different credential stealers, together with ones known as RedLine and Vidar.

Lots of the recordsdata are disguised as installers for professional instruments or software program. They included faux installers for:

• OBS Studio, a chunk of an open supply streaming software program
• Video modifying software program, together with Adobe Premiere Professional, Filmora, and HitFilm Specific
• Audio purposes and plugins equivalent to Antares Auto-Tune Professional, Valhalla DSP, FabFilter Complete, and Xfer Serum
• Sport modes and cheats for video games equivalent to Grand Theft Auto V, Roblox, Counter-Strike, and Name of Responsibility
• Driver instruments equivalent to “Driver Booster” and “Driver Simple,” which invoice themselves as a way for bettering gaming laptop efficiency
• “Cracks” for professional software program or companies together with Norton Safety, Malwarebytes, Discord Nitro, Stepn, and Spotify Premium

Hardcoded into the YTStealer is the area youbot[.]options. It’s not instantly clear if the area is related to Youbot Options LLC, which is registered within the New Mexico registry of firms. Makes an attempt to achieve the corporate for remark weren’t profitable.