State Sponsored Threat
Charming Kitten, a state-sponsored Iranian hacking group is using a new tool to download emails from targeted Yahoo, Microsoft Outlook, and Gmail accounts.
The utility is called Hyperscraper and like many hackers' operations and tools, it is in no way sophisticated. But its lack of sophistication is balanced by effectiveness, letting the threat actors hack a target's e-mail inbox without leaving any traces of the intrusion.
Simple but effective email scraper
In a recent technical report, experts from Google's TAG (Threat Analyst Group), shared information about Hyperscraper's capabilities and said that it is under active development.
Google TAG links the tool to Charming Kitten, a threat group based in Iran that is also called APT35 and Phosphorus, and said the earliest samples were found from 2020.
The researchers discovered Hyperscraper in December 2021 and analysed it using a Gmail test account. Hyperscraper isn't a hacking tool but an instrument that lets threat actors steal email data and store it on their devices after getting into the victim's email account.
How does Hyperscraper work?
Getting the login credentials for the victim's inbox is done in an earlier stage of the attack, generally by stealing them.
Hyperscraper has an embedded browser and fools the user agent to imitate an outdated web browser, it provides a basic HTML view of the Gmail account's details.
Google TAG says that once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread.
Google TAG Experts' Analysis
When the extraction is completed, Hyperscraper changes the language settings to English and moves through the contents of the email inbox, downloading messages individually as .eml files extension and marking them unread.
Google TAG experts said earlier variants of Charming Kitten's utility could get data from 'Google Take-out,' a feature that lets users shift data from their Google account for making a backup or using it with a third-party service.
While running, Hyperscraper works via the C2 (Command and Control) server, waiting for a 'go' sign to start the exfiltration process.
How does threat actor use Hyperscraper?
The operator can change the tool with important parameters (identifier string, operation mode, path to valid cookie file) via command-line arguments or using a minimal user interface.
If the path to the cookie file isn't given over the command line, the operator has the option to drag and drop it into a new form. After the cookie has been parsed successfully and embedded in the local cache of the web browser,
Victims have been notified
Hyperscraper makes a 'Download' folder where it throws the contents of the target inbox. The victims of Charming Kitten who were attacked with Hyperscraper have been informed about the government-backed attacks.
"Users that received such a warning are encouraged to bolster their defenses against more sophisticated attackers by enrolling in Google’s Advanced Protection Program (AAP) and by activating the Enhanced Safe Browsing feature, both provided an added security layer to existing protection mechanisms," said Bleeping Computers.
