It’s not immediately clear if the domain is connected to Youbot Solutions LLC, which is registered in the New Mexico registry of corporations. Hardcoded into the YTStealer is the domain youbotsolutions.
Video editing software, including Adobe Premiere Pro, Filmora, and HitFilm Express.OBS Studio, a piece of an open source streaming software.Many of the files are disguised as installers for legitimate tools or software.
Company researchers further noticed that files used to install the malware on victim computers loaded other credential stealers, including ones called RedLine and Vidar. The structure of the YTStealer code and the unique identifier used for each sample leads Intezer to suspect that YTStealer is being sold as a service to other threat actors. The malware then encrypts each data sample with a unique key and sends both to a command and control server. YTStealer then extracts all available information about the user account, including the account name, number of subscribers, age, and whether channels are monetized. The cookies are extracted from the browser’s database files in the user’s profile folder.”Īs soon as the malware obtains a YouTube authentication cookie it opens a headless browser and connects to YouTube’s Studio page, which content creators use to manage the videos they produce. “When it comes to the actual process, it is very similar to that seen in other stealers. “What sets YTStealer aside from other stealers sold on the Dark Web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of,” Joakim Kennedy, a researcher at security firm Intezer wrote in a blog post on Wednesday.
Enter YTStealer, a new piece of malware that steals authentication credentials belonging to YouTube content creators. In online crime forums, specialization is everything.