New YTStealer malware hijacks YouTube channels

YTStealer is a new block infostealer targeting YouTube content creators to steal auth tokens and take over their channels.

Automated security intelligence solutions provider Intezer has reported that new information-stealing malware, dubbed YTStealer, is targeting YouTube channels. The malware can steal authentication cookies and focuses entirely on hijacking YouTube channels, whether it’s an influencer or a newbie channel, small or large.

After retrieving the credentials, the attacker can do whatever they want. Therefore, high value accounts are usually put up for sale or further compromised to distribute malware to other users. Surprisingly, YTStealer has such a narrow goal that it only tries to steal YouTuber channel tokens, which is what makes this operation so effective.

Malware Dynamics

Intezer researchers explained that YTStealer is associated with other information stealers like Vidar or RedLine as a bonus. Additional malware is dropped with YTStealer to expand its reach.

Intezer scan shows one of the malware spreading YTStealer along with the RedLine thief.

The malware first performs anti-sandbox checks using the open source tool Jackal before running on the host. If the infected device is deemed appropriate, YTStealer inspects the browser database files to locate YouTube channel authentication tokens. To validate them, the malware launches the web browser in headless mode to keep the whole operation hidden from the victim and adds the stolen cookie to its store.

If found to be valid, the malware collects more data including channel name, creation date, number of subscribers, official channel status of the artist, and monetization details. The malware uses the Rod library to control the browser. This shows how attackers exfiltrate information from YouTube channels without manual intervention.

More YouTube security news

  1. Botnet discovered uses YouTube to illegally mine cryptocurrency
  2. YouTube deletes 2 million channels and 51 million videos following scams
  3. Google details cookie-stealing malware campaign targeting YouTubers
  4. YouTube scammers impersonated Elon Musk, SpaceX; stole $150,000 in BTC
  5. Significant increase in demand for stolen YouTube IDs on the dark web

Main targets: YouTube content creators

According to Intezer’s blog post, YTStealer malware only targets YouTube content creators; therefore, its main appeal is to masquerade as a video editing software or content provider for new videos, such as OBS Studio, FL Studio, Adobe Premiere Pro, Ableton Live, Filmora, and Antares Auto-Tune Pro.

In other cases, where YTStealer specifically targets game content creators, it impersonates Grand Theft Auto V mods, Valorant game, Counter-Strike Go and Call of Duty cheats, or Roblox hacks. Additionally, researchers have detected token generators and cracks for Spotify Premium and Discord Nitro infected with malware.

Hacked channels are sold on the Dark Web

This malware is fully automated and stolen YouTube accounts are sold on the Dark Web. Pricing is determined by channel size, so larger and more influential channels are more expensive.

Additionally, buyers of these channels use the stolen authentication cookies to hijack the channel and demand ransom from the original owners or run cryptocurrency scams. Even if the account is protected by MFA, authentication tokens can bypass this and attackers can easily log into the account.

It is suggested that YouTube content creators periodically log out of their accounts to invalidate authentication tokens.

Raymond T. Helms