SELL FASTER BUY SMARTER SEARCH SHOP ADVERTS


SCROll DOWN TO SEE FORM TO POST ..SCROll DOWN TO SEE FORM TO POST
++MAP OR ENTER BELOW

THN

New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators

Cybersecurity researchers have documented a new
information-stealing malware that targets YouTube content creators
by plundering their authentication cookies.

Dubbed “YTStealer” by Intezer, the malicious tool is likely
believed to be sold as a service on the dark web, with it
distributed using fake installers that also drop RedLine Stealer
and Vidar.

“What sets YTStealer aside from other stealers sold on the dark
web market is that it is solely focused on harvesting credentials
for one single service instead of grabbing everything it can get
ahold of,” security researcher Joakim Kenndy said in a report[1]
shared with The Hacker News.

The malware’s modus operandi, however, mirrors its counterparts
in that it extracts the cookie information from the web browser’s
database files in the user’s profile folder. The reasoning given
behind targeting content creators is that it uses one of the
installed browsers on the infected machine to gather YouTube
channel information.

It achieves this by launching the browser in headless mode[2]
and adding the cookie to the data store, followed by using a web
automation tool called Rod[3]
to navigate to the user’s YouTube Studio page, which enables[4]
content creators to “manage your presence, grow your channel,
interact with your audience, and make money all in one place.”

From there, the malware captures information about the user’s
channels, including the name, the number of subscribers, and its
creation date, alongside checking if it’s monetized, an official
artist channel, and if the name has been verified, all of which is
exfiltrated to a remote server carrying the domain name
“youbot[.]solutions.”

Another notable aspect of YTStealer is its use of the
open-source Chacal[5]
“anti-VM framework” in an attempt to thwart debugging and memory
analysis.

Further analysis of the domain has revealed that it was registered[6]
on December 12, 2021, and that it’s possibly connected to a
software company[7]
of the same name that’s located in the U.S. state of New Mexico and
claims to provide “unique solutions for getting and monetizing
targeted traffic.”

CyberSecurity

That said, open-source intelligence gathered by Intezer has also
linked the logo of the supposed company to a user account[8] on an Iranian
video-sharing service called Aparat.

A majority of the dropper payloads delivering YTStealer together
with RedLine Stealer are packaged under the guise of installers for
legitimate video editing software such as Adobe Premiere Pro,
Filmora, and HitFilm Express; audio tools like Ableton Live 11 and
FL Studio; game mods for Counter-Strike: Global Offensive and Call
of Duty; and cracked versions of security products.

“YTStealer doesn’t discriminate about what credentials it
steals,” Kenndy said. “On the dark web, the ‘quality’ of stolen
account credentials influences the asking

price, so access to more influential Youtube channels would
command higher prices.”

References

  1. ^
    report
    (www.intezer.com)
  2. ^
    headless
    mode     (en.wikipedia.org)
  3. ^
    Rod
    (github.com)
  4. ^
    enables
    (support.google.com)
  5. ^
    Chacal
    (github.com)
  6. ^
    registered
    (whois.domaintools.com)
  7. ^
    software
    company     (goo.gl)
  8. ^
    user account
    (www.aparat.com)

Read more

.An African People Search Engine Business directory and Entertainment Portal . Powered by The Swordpress Blog and the folks @ ojoojoo.com and Dotifi Web hosting

Submit A Place
Help Us Review This SwordPress !

RSS Latest News

Post Views: 844
[activity-stream]
THE HITCH hikers guide to Nigeria JobScout | Developed By Rara Theme. Powered by WordPress.
Get Mobile App Get Mobile App
Get Mobile App

Add a new location

Edit Location

Add up to 5 images to create a gallery for this location.

×