YouTube content creators are again targeted by a new attack campaign that utilises an infostealer, dubbed YTStealer, to steal their authentication tokens and hack their YouTube channels. The infostealer has a specialised objective, which empowers it to be an effective tool for attacking its targets.
The threat operators spread the infostealer through masquerading video editing tools that are useful for the content creators. In other cases, the threat operators introduce fake content or video ideas for the YouTube creators to lure them into installing the malicious malware.
Some of the imitated software that the threat operators use to spread the YTStealer include Adobe Premiere Pro, Filmora, Ableton Live, FL Studio, OBS Studio, and Antares Auto-Tune Pro. Aside from the typical video content creators, those that post gaming videos are also targeted since it was reported that the threat actors also imitate mods for popular video games such as GTA V, Call of Duty, and Roblox. Cracked versions of Spotify Premium and Discord Nitro were also found containing the infostealer.
It is also found that the YTStealer malware typically carries other malware strains such as RedLine and Vidar infostealers, allowing the attack to be more effective in stealing credentials and passwords from the victims.
After running anti-sandbox checks and confirming a target’s validity, YTStealer would inspect the victim’s SQL database files to find YouTube authentication tokens. Then, the hackers would launch a headless browser to validate the tokens and harvest more data from the YouTube creators, including their channel’s name, subscriber count, and monetisation status.
All channels, whether from small or big YouTube creators, are at risk of being attacked by the YTStealer operators.
The amount of data the threat actors have amassed from their victims would be up for sale on underground forums, and the prices would vary depending on how big the YouTube channel is. If an account were sold to another cybercriminal, they would use it to conduct other scams or hack it to demand ransom from the account owners.
Even if a YouTube account has an MFA activated, the stolen authentication tokens will allow the threat operators to bypass it to access their accounts. Thus, the YouTube creators must log out periodically since logging out invalidates compromised authentication cookies.
Furthermore, it is advised for the creators to avoid downloading cracked software from suspicious websites or third-party sources that could have injected malware into the offered software imitation.