Charming Kitten, an Iranian hacking group, is using a new tool to download email messages from Gmail, Yahoo!, and Microsoft Outlook accounts. The tool, identified as Hyperscraper, is claimed to be under active development and not very sophisticated yet very effective.

Hyperscraper

Researchers from Google's TAG have shared details regarding Hyperscraper’s features and working. While the tool is under active development and not very sophisticated, it is yet very effective.
  • Hyperscraper, first spotted in December 2021, is a tool that steals email data and saves it on the system after logging into the victim's email account.
  • The tool has an inbuilt web browser and spoofs the user agent, pretending to be an outdated web browser, which offers a basic HTML view for the Gmail account’s content.
  • Researchers further claim that older variants of utility may request data from a service that allows users to export data from their email account to backup or use it with a third-party service, Google Takeout.

Hyperscraper has been used on a small number of accounts, fewer than two dozen, all users from Iran. The targets were alerted via warnings about government-backed attacks.

How does it work?

While running, Hyperscraper communicates with a C2 server waiting for confirmation to begin the exfiltration process.
  • The operator can set up the tool with the path of the required parameter to a valid cookie file, operation mode, or identifier string by using command-line arguments or using a minimal user interface.
  • If the path to the cookie file is not provided over the command line, the operator can drag-n-drop into a new form.
  • Once the cookie has been analyzed successfully and added to the local cache of the web browser, the tool creates a Download folder where it stores the contents of the target inbox.

Masking tracks

  • Once logged in, Hyperscraper makes changes to the account's language settings to English and goes through the contents of the mailbox, downloads messages as .eml files, and marks them unread, so that users won't get any hint about the hack.
  • Moreover, Hyperscraper masks its tracks by deleting any emails from Google that may raise alerts for an attacker's activity such as sign-in attempts, security alerts, availability of data archive, and access to apps.

Staying safe

For better protection from threats such as Hyperscraper, users are suggested to improve their existing defenses by activating the Enhanced Safe Browsing feature and enrolling in Google’s Advanced Protection Program. Further, organizations should leverage provided IOCs to detect and defend from malicious activities.
Cyware Publisher

Publisher

Cyware