YTStealer is a new malware designed to steal YouTube authentication cookies. Discovered by Intezer researchers, the malware, which is based on the Chacal open-source GitHub project, operates as a typical stealer. Once installed, its first goal is performing environment checks to determine if it’s being analyzed in a sandbox.
YTStealer in Detail
According to Intezer’s report, what makes YTStealer unique is the fact that it is solely focused on stealing credentials for YouTube only. However, in terms of how it works, it is not much different than your regular information stealer sold on the Dark Web.
How does YTStealer work?
In case the malware finds authentication cookies for YouTube, it does the following:
To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store. By starting the web browser in headless mode, the malware can operate the browser as if the threat actor sat down on the computer without the current user noticing anything, Intezer said.
A specific library called Rod is used to control the browser. Rod provides a high-level interface to control browsers over the DevTools Protocol and markets itself as a tool for web automation and scraping, the report added.
YTStealer uses the web browser to navigate to YouTube’s Studio page that helps content creators manage their content. While there, the malware harvest information about the user’s channels, including the channel name, how many subscribers it has, how old it is, if it is monetized, an official artist channel, and if the name has been verified. These details are encrypted with a unique key for each sample, and sent to the command-and-control server alongside a sample identifier.
What YouTube channels are targeted?
“YTStealer doesn’t discriminate about what credentials it steals, whether it’s someone uploading Minecraft videos to share with a few friends or a channel like Mr. Beast with millions of subscribers. On the Dark Web, the “quality” of stolen account credentials influences the asking price, so access to more influential YouTube channels would command higher prices,” the report said.
Last year, security researchers identified a vulnerability in the YouTube platform that could make private videos visible at reduced resolution. To exploit the flaw, an attacker would need to know (or guess) the video identifier. The issue was reported to Google via its Vulnerability Rewards Program.