Iranian advanced persistent threat (APT) group Charming Kitten has a new data-scraping tool in its arsenal that claws emails from victim Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials, Google researchers have found.
A team from Google Threat Analysis Group (TAG) discovered the tool, dubbed Hyperscrape, last December and has been tracking it since then, it said in a new blog post.
The attacker poses as a legitimate user by either by initiating an authenticated user session that’s been hijacked or via stolen credentials, and then runs the scraper to download victims’ inboxes, TAG’s Ajax Bash said in Google’s post.
“It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail” by resulting in an error message, he explained.
If the attacker can’t access the account this way, the tool displays a login page for manually entering credentials to proceed, with Hyperscrape waiting until it finds the victim’s inbox page, according to Bash.
Hyperscrape appears to have been around since 2020, when its first samples were spotted. Charming Kitten — aka Phosphorus and myriad other names — continues to actively develop the tool. Attacks so far have been limited to less than two dozen accounts located in Iran, the researchers found.
Modus Operandi
Once logged in, Hyperscrape changes the account’s language settings to English and goes through the contents of the mailbox, individually downloading messages as .eml files and marking them unread, Bash explained.
After downloading messages from the inbox, the tool reverts the language back to its original settings and deletes any security emails from Google. The tool is written in .Net for targeting Windows PCs and is designed to run on the attacker’s machine, he said.
Early versions of Hyperscrape included an option for actors to request data from Google Takeout, a feature that allows users to export their data to a downloadable archive file.
This feature would spawn a new copy of the tool and initialize a pipe communication channel to relay the cookies and account name, both of which are required to accomplish the export. Once received, the browser would navigate to the official Takeout link to request and eventually download the exfiltrated data.
The Takeout feature was never automated in the tool, however, and researchers said they’re not clear on why it was removed.
Google’s researchers tested Hyperscrape specifically with a Gmail account, noting that functionality may differ for Yahoo or Microsoft email apps when under attack. Moreover, Hyperscrape won’t run unless in a directory with other file dependencies, they explained.
Furthering Objectives
Charming Kitten is a prolific APT believed to be backed by government of Iran and known by a number of other names — including TA453, APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus.
The group — which first rose to prominence in 2018 — has been extremely active in the last several years and is best known for targeted cyber-espionage attacks against politicians, journalists, human-rights activists, researchers, scholars, and think tanks.
Some of the APT’s more high-profile attacks occurred in 2020, when the group targeted the Trump and Biden presidential campaigns as well as attendees of two global geopolitical summits, the Munich Security Conference and the Think 20 (T20) Summit, in separate and various incidents.
While Hyperscrape doesn’t showcase anything groundbreaking as far as novel malware goes, it does show Charming Kitten’s commitment to developing custom capabilities dedicated to a particular purpose, according to Bash.
“Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten’s objectives,” he explained.
And while groups like Charming Kitten often have very targeted goals for their cybercriminal activity, Google TAG’s disclosure and work with law enforcement against APTs is aimed at raising awareness within both the security community and targeted companies and communities, according to the blog post.
The company encourages high-risk users to enroll in its Advanced Protection Program (APP) and use Google Account Level Enhanced Safe Browsing to ensure a high level of protection against ongoing threats.