Description
A hacker group called Charming Kitten has developed an instrument designed to download email contents from Gmail, Yahoo and Microsoft Outlook accounts. This instrument is referred to as Hyperscrape.
Summary
Researchers of Google Threat Analysis Group (TAG) reported that Hyperscrapes functionality is under active development. However, although it lacks technical and complex features, it is effective in retrieving email contents, stealthily.
Google Threat Analysis Group (TAG) researchers found Hyperscrape in December 2021 and an analysis was done on its functionality. The researchers concluded that Hyperscrape is an instrument that enables the attacker to extract and store email data on their machine after accessing the victim”s email account.
How it works
Hyperscrape typically steals victims credentials. It has an embedded browser that tricks the user agent to mimic an outdated web browser. It delivers a basic HTML view of the information stored in the Gmail account.
According to Googles Threat Analysis Group, once the attacker gains access to the victims email account, the instrument adjusts the accounts language settings to English. It then proceeds to download email messages as .eml files. These .eml files are then marked as unread. After this process is completed, the instrument modifies the language settings to its original state and deletes Googles security alerts.
The tool is designed to run on the attackers machine and is written in .NET for Windows PC.
Hyperscrape, when running, communicates with a command and control (C2) server for confirmation to commence the extraction process of email data.
Configuration of the tool with the essential parameters can be done by the operator with the use of command-line arguments or via a minimal user interface.
If in the eventuality that the path to the cookie file was not established over the command line, the operator can drag and drop it into a new form.
A download folder is then created by Hyperscrape to store the information of the victims mailbox having parsed the cookie successfully and added to the local cache of the web browser. If the cookie does not provide the operator with access to the victims mailbox, then access can be gained manually.
Remediation
A notification through warnings about government-backed attacks would usually be provided to users that were affected by attacks from Charming Kittens Hyperscrape.
It is advisable that users who receive the above-mentioned warning enroll in Googles Advanced Protection Program (AAP) and activate theEnhanced Safe Browsingfeature.
The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary.
PDF Download: Charming Kitten uses new tool to steal email data from victims.pdf
References
Ilascu I. (23rd August 2022) Google: Iranian hackers use new tool to steal email from victims. Retrieved from Bleeping Computer.
https://www.bleepingcomputer.com/review/gaming/google-iranian-hackers-use-new-tool-to-steal-email-from-victims/
Bash A. (23rd August 2022) New Iranian APT data extraction tool. Retrieved from Google Threat Analysis Group (TAG).
https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/