YTStealer opens the browser in headless mode (ie without a graphical interface). In this way, cybercriminals can browse as if they were sitting in the user's seat, without the user noticing anything. Once connected to the YouTube Studio page, which creators use to manage their content, the malware steals information such as the account name, the number of subscribers and which channels are monetized. The data is then encrypted and sent to a server whose domain is youbot [.] Solutions. The domain name refers to a US corporation based in New Mexico and is registered in December 2021. At the moment, no relationship has been confirmed between the malware and Youbot Solutions LLC.
About Youbot Solutions LLC. Source: Intezer
Intezer speculates that YTStealer is being sold as a service on the dark web to other cybercriminal groups. Although the malware does not discriminate between small and large accounts, with a few tens or millions of followers, the price for purchasing data varies according to the nature and size of the hacked account.
As YTStealer is a malware dedicated to video creators, the files that contain it are disguised as installation files for programs such as OBS Studio, an open source streaming service, and various video editing software such as Adobe Premiere Pro, Filmora, and HitFilm Express. Experts advise to rely only on verified sources for downloading programs and applications.
"With regards to authentication data stolen from YouTube, we have not analyzed how it is monetized later in the chain," conclude the Intezer researchers. "One of the options could be fraud against a channel subscriber."