Google: YouTubers’ accounts hijacked with cookie-stealing malware


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Google says YouTube creators have been targeted with password-stealing malware in phishing attacks coordinated by financially motivated threat actors.

Researchers with Google's Threat Analysis Group (TAG), who first spotted the campaign in late 2019, found that multiple hack-for-hire actors recruited via job ads on Russian-speaking forums were behind these attacks.

The threat actors used social engineering (via fake software landing pages and social media accounts) and phishing emails to infect YouTube creators with information-stealing malware, chosen based on each attacker's preference.

Malware observed in the attacks includes commodity strains like RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad, and Kantal, and open-source ones such as Sorano and AdamantiumThief.

Once delivered on the targets' systems, the malware was used to steal their credentials and browser cookies which allowed the attackers to hijack the victims' accounts in pass-the-cookie attacks.

"While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics," said Ashley Shen, a TAG Security Engineer.

"Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking."