Iranian Hacker Charming Kitten Uses Hyperscraper to Steal Inbox Messages

Hyperscraper

• Hyperscraper, first spotted in December 2021, is a tool that steals email data and saves it on the system after logging into the victim's email account.
• The tool has an inbuilt web browser and spoofs the user agent, pretending to be an outdated web browser, which offers a basic HTML view for the Gmail account’s content.
• Researchers further claim that older variants of utility may request data from a service that allows users to export data from their email account to backup or use it with a third-party service, Google Takeout.

How does it work?

• The operator can set up the tool with the path of the required parameter to a valid cookie file, operation mode, or identifier string by using command-line arguments or using a minimal user interface.
• If the path to the cookie file is not provided over the command line, the operator can drag-n-drop into a new form.
• Once the cookie has been analyzed successfully and added to the local cache of the web browser, the tool creates a Download folder where it stores the contents of the target inbox.

Masking tracks

• Once logged in, Hyperscraper makes changes to the account's language settings to English and goes through the contents of the mailbox, downloads messages as .eml files, and marks them unread, so that users won't get any hint about the hack.
• Moreover, Hyperscraper masks its tracks by deleting any emails from Google that may raise alerts for an attacker's activity such as sign-in attempts, security alerts, availability of data archive, and access to apps.

Staying safe