"New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators"

Researchers at Intezer have discovered a new data-stealing malware dubbed YTStealer that targets YouTube content creators by stealing their authentication cookies. The malicious tool is likely sold as a service on the dark web, and it is distributed via fake installers that also include RedLine Stealer and Vidar. What distinguishes YTStealer from other stealers on the dark web market is that it is solely focused on harvesting credentials for a single service rather than grabbing everything it can reach. However, the malware's method of operation is similar to that of its counterparts in that it extracts cookie information from the web browser's database files in the user's profile folder. The reasoning behind targeting content creators is that it uses one of the installed browsers on the infected machine to gather YouTube channel information. It accomplishes this by launching the browser in headless mode and adding the cookie to the data store. Then it navigates to the user's YouTube Studio page using a web automation tool called Rod. The malware then collects information about the user's channels, such as the name, number of subscribers, and creation date, as well as whether it is monetized, an official artist channel, and if the name has been verified, and sends it to a remote server. Another noteworthy feature of YTStealer is its use of the open-source Chacal "anti-VM framework" to prevent debugging and memory analysis. This article continues to discuss findings surrounding the YTStealer malware. 

THN reports "New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators"