Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
YTStealer is a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like many other stealers. The first thing it does when it’s executed is to perform some environment checks. This is to detect if the malware is being analyzed in a sandbox. The code that performs the checks comes from an open-source project hosted on GitHub called Chacal. The framework is marketing itself for Red Teams and pen-testers. It provides anti-debugging, anti-memory analysis, and anti-VM functionality.
The code also performs checks to detect if it’s running as a 32-bit or 64-bit process. If it’s a 64-bit process, it won’t bother with the rest of its functionality and will just exit instead. This is because YTStealer uses an API function called NtGlobalFlag to detect whether the malware is running on a Windows XP system. Back then, NtGlobalFlag was available only on Windows XP.
There is a function in the malware that’s used to steal cookies called YTMsgBox::ShowYTWindow(). The code inside this function comes from an open-source project called uaf.py, which is also designed for penetration testing. This tool is able to demonstrate how some common anti-debugging techniques fail. It basically ignores the return value of dangerous API calls and performs some actions while they are monitored by memory analysis tools such as Ollydbg or WinDbg.
If the malware’s environment checks pass, it will open a YTMsgBox window to ask the user for a username and password. It uses an input that looks like this:
The string is split so that it can be used by YouTube and then concatenated back together again. The credentials are used to get authentication cookies from YouTube and then sent over to the C&C server after encryption, in case there are any security researchers sniffing the network. The following Python code can be used to decrypt the cookie data:
import base64, hmac from Crypto.