YTStealer Malware, which targets YouTube content creators

Malware that targets YouTube content creators by stealing their authentication cookies has been discovered by cybersecurity researchers and is currently being investigated.

As Intezer puts it, "YTStealer" appears to be sold as a service on the dark web, with fake installers that also drop RedLine Stealer and Vidar being used to distribute the malware.

Security researcher Joakim Kenndy tells intezer that YTStealer stands out from other dark web stealers because it focuses solely on harvesting credentials for a single service rather than stealing everything it can get its hands on.

Despite this, malware is able to extract the cookie information from the user's browser's database files in the profile folder, just like its counterparts. In order to gather information about infected machines' installed browsers, the malware specifically targets YouTube channels, which is why it has been made a point of concentrating its efforts on them.

An automation tool called Rod is used to access the user's YouTube Studio page, which allows content creators to "manage your presence," "grow your channel, interact with your audience, and make money all in one place" by launching the browser in headless mode.

A remote server named "youbot[.]solutions" receives all of this information and sends it to a remote location where it can be used for malicious purposes.

Additionally, YTStealer uses the open-source Chacal "anti-VM framework" to thwart debugging and memory analysis.

Analysis of the domain revealed that it was registered on December 12th, 2021, and that it may be linked to a software company of the same name in New Mexico, United States, which offers "unique solutions for getting and monetizing targeted traffic."

Intelligence gleaned from open-source sources by Intezer, however, has also linked the supposed company's logo to an Iranian video-sharing service called Aparat.

Dropper payloads delivering YTStealer and RedLine Stealer are often disguised as installers for legitimate video editing software like Adobe Premiere Pro, Filmora and HitFilm Express, audio tools like Ableton Live 11 and FL Studio, game mods for Counter-Strike: Global Offensive and Call of Duty, or cracked security products like Avast Antivirus.

"YTStealer doesn't discriminate," Kenndy said of the credentials he stole. Access to more influential Youtube channels would command a higher price on the dark web because the 'quality' of stolen account credentials influences the asking price.