A new malware called YTStealer allows hackers to steal YouTube creator authentication credentials. Hyper-specialized software shared on dark web forums.
YTStealer, the malware that steals the credentials of YouTube creators
In a recent post published by Joakim Kennedy from cybersecurity company Intezer, there is talk of a very specialized malware. Kennedy explains that: “What sets YTStealer apart from other stalers sold on the Dark Web is that it focuses solely on collecting and selling credentials for a single service instead of taking everything he can “
Kennedy, however, explains that “when it comes to the trial, he is similar in all respects to the other stealers. Extract cookies from browser database in the user profiles folder“. By doing so, it finds the data to log into the creators’ YouTube accounts.
Once found, it opens a “headless browser” to connect to your YouTube Studio page, which is used to produce the videos to be uploaded to the platform. Here extracts all data on the user’s account, i subscription numbers and account monetization information.
At this point the malware encrypts the data with a unique key. In this way they can blackmail users or sell their credentials on the web.
The analysis of the code also shows that in the installed package of YTStealer there are other files for further logins, even if they are not active. Among these those to access OBS Studioseveral video editing software such as Adobe Premiere Pro o Filmora and audio applications such as Auto Tune Pro. Plus you play games like GTA V, Robloc e Call of Duty. In short: several tools for online creatives.
Analysis suggests that YTStealer is being sold as “malware as a service”, to target specific people. The security company would have tracked down a possible domain (youbot[.]solutions), although it is currently unclear whether this could lead to finding hackers. We will keep you posted.