Oyogist has learned that Cybersecurity researchers have documented a new information-stealing malware that targets YouTube content creators by plundering their authentication cookies.
The malware named “YTStealer” by Intezer, is likely believed to be sold as a service on the dark web, with it distributed using fake installers that also drop RedLine Stealer and Vidar.
“What sets YTStealer aside from other stealers sold on the dark web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of,” security researcher Joakim Kenndy said in a report.
How Does YT Stealer Malware Operate?
The YT Stealer malware extracts the cookie information from its victims web browser’s database files in the user’s profile folder.
The reasoning given behind targeting content creators is that it uses one of the installed browsers on the infected machine to gather YouTube channel information.
It achieves this by launching the browser in headless mode and adding the cookie to the data store, followed by using a web automation tool called Rod to navigate to the user’s YouTube Studio page, which enables content creators to “manage your presence, grow your channel, interact with your audience, and make money all in one place.
“From there, the malware captures information about the user’s channels, including the name, the number of subscribers, and its creation date, alongside checking if it’s monetized.