June 30, 2022

A report from Intezer has provided further analysis on a new information stealing malware called YTStealer. YTStealer attempt to steal YouTube content creators’ authentication tokens and hijack their accounts.

As YTStealer focuses on one target, the malware authors are therefore able to make their token theft operation very effective by incorporating advanced, specialized tricks.

Since the malware also targets YouTube creators, most of its distribution uses lures impersonating software that edits videos or serves as content for new videos. Impersonated software that includes malicious YTStealer installers include OBS Studio, Adobe Premiere Pro, FL Studio, Ableton Live, Antares Auto-Tune Pro, and Filmora.

Researchers explain that the malware is bundled with other information stealing malware. This means it is treated as a “bonus” dropped alongside malware that targets password theft dropped from a wider range of software.

Before running on the host, the malware performs some anti-sandbox checks using the open source tool Chacal. Once the machine is a valid target, the malware checks the browser’s SQL database files to find YouTube authentication tokens, then validates them by launching the web browser in headless mode and adding the stolen cookie to its store.

The sources for this piece include an article in BleepingComputer.