YTStealer Malware Strikes – It Starts with Authentication Cookies

Social media platforms have introduced us to millions of influencers and content creators. The more popular they become, the more they get to share and even earn. Unfortunately, this popularity doesn’t come without a price as they also become targets for cybercriminals. It started with high-profile accounts on Tiktok, and now, Youtube – Enter YTStealer malware.

YTStealer malware

Youtube has a lot of content creators with most of them using the platform to make a living. That’s the perfect opportunity for threat actors to target them, steal their authentication tokens, and hijack their channels.

With advanced and specialized tricks, the attackers have all the means to succeed in their endeavor. But how are they implementing the YTStealer malware? What are they really after? We’ve discussed everything below.

YTStealer Malware – Talk About Binge-Stealing

The use of Youtube is still skyrocketing on a daily basis. In fact, more than 1 billion hours of content is watched across the world every day.

The platform has channels for everything, be it cooking, entertainment, education, gaming, business, and more. That definitely makes it a target for cybercriminals.

The YTStealer malware doesn’t just focus on high-profile channels. On the contrary, it targets anyone regardless of their status on the platform.

According to a study by Intezer, the malware impersonates whatever tool is needed by the creator. For example, it disguises itself as software that edits videos, which is the ultimate lure for content creators.

Not only that, but YTStealer also targets the gaming department by impersonating certain popular mods. People mainly use mods to make their gaming experience easier or give them the ability to create more content with the game’s limitations.

This has become very popular even among the top gaming channels on Youtube. Again, popularity equals attraction and cybercriminals will target the creators.

To lure the victims, they impersonate mods such as Grand Theft Auto V, hacks for Roblox, the Valorant game, or cheats for Call of Duty.

Aside from Youtube, YTStealer also made a slight appearance on platforms such as Discord Nitro and Spotify Premium. Apparently, the actors behind this have broader aims.

Not only that, but it also bundles itself with other information-stealers such as the infamous RedLine and Vidar. Talk about a full-force attack.

Authentication Cookies Stolen – A Malicious Appetite

YTStealer uses the open-source Chacal tool to check for any anti-sandbox. Once the attackers determine that the victim can be targeted, YTStealer examines the browser SQL database files in hopes of finding the YouTube authentication tokens.

Finally, the malware launches the web browser in headless mode to validate the tokens and add the harvested cookies to its store.

That’s all in terms of its functionality, but it doesn’t end here. If the device is susceptible to infiltration, the malware can collect other forms of data such as:

  • The Name of the Youtube channel.
  • The number of subscribers.
  • Official artist channel status
  • Date of creation.
  • Monetization status

Unfortunately, with the authentication cookies at the attacker’s disposal, the multi-factor authentication tool is deemed useless. The tokens can bypass MFA and give the threat actors the ability to log into the stolen accounts.

YTStealer Strikes Big – Your Tokens Are Theirs

According to the security firm, the stolen accounts are sold on the dark web. The prices vary depending on how big the channel is.

In other words, the bigger the channel is, the more expensive it becomes. If that’s not their choice, they can easily use the accounts for various scams, usually to steal cryptocurrency, or demand a ransom from the actual owners.

If you avoid downloading such applications from unknown sources, you can avoid this entire predicament. Make sure you stay vigilant – what you’re losing is pretty big.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top