Learn about a new Iranian tool called Hyperscrape and how it’s being used by a cyber-espionage group to extract content from victims’ inboxes.
Charming Kitten, also known as APT35 and Magic Hound, is a state-sponsored threat actor originating from Iran that has been operating for about 10 years. The threat actor has targeted government and military personnel, academics and journalists in the US and the Middle East. Their goal is cyber espionage.
APT35 may not be the most advanced APT threat actor in the wild, but their tooling is robust and effective.
Google’s Threat Analysis Group (TAG) recently discovered a new tool called Hyperscrape that can steal data from mailboxes like Gmail, Yahoo! or Microsoft Outlook.
What is Hyperscrape and how does it work?
Hyperscrape is a tool written for Windows systems in .NET. It runs on the attacker’s computer and, once in possession of valid email credentials or a valid session cookieto quietly extract emails from mailboxes.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
Once run from a directory with specific file dependencies, the tool checks the connection to a particular command and control server; it will be terminated if there is no connection. If everything is OK, the software opens a first form to specify parameters (Image A).
The parameters can also be specified in the command line. After delivery, the data is sent to the C2 for confirmation. A new form will then appear, allowing the attacker to provide a valid cookie file unless they provided it via the command line.
Hyperscrape then launches a built-in web browser and stores the cookies in a local cache used by that browser, which is configured to look like an outdated browser. The browser then navigates to Gmail.
Gmail’s behavior in this case consists of throwing an error message and leaving the option to use the “Basic HTML view” feature of the email service (Figure B).
If the session cookie is unable to access the mailbox, the attacker is given the option to manually enter valid credentials into the browser.
Once successfully connected to the mailbox, the software checks the Gmail language and sets it to English if not, while saving the current language parameter to restore it once the theft operation is completed.
The tool then automatically checks all available tabs in the inbox, downloads any email it finds, and resets it to the unread state if necessary.
All emails are stored locally in a Downloads folder, where the file name matches the subject of the email. A log file is also generated (Figure C).
After all emails are dumped, the software sends status and system information to the C2 server and deletes any security emails from Google that may have been generated by the tool’s activity.
Google researchers also discovered earlier versions of the tool, which allowed attackers to download data from Google Take Outcreated a Google service for their customers to download data from various Google services like Gmail, Google Docs, Google Calendar and more.
In the case of Takeout, the tool would spawn a fresh copy of itself and initialize a pipe communication channel to replay the cookies and account name to the service and navigate to the legitimate Takeout link, aiming to query the data and eventually to download. It is unclear to researchers why that functionality has disappeared in later versions of the Hyperscrape tool.
Google researchers analyzed the tool in a controlled environment with a test Gmail account. They indicate that the functionality for Yahoo! or Microsoft accounts.
In addition to the Hyperscrape tool, PwC . offers reported in July 2022, another tool was used and probably developed by the threat actor, which enabled the theft of targeted Telegram accounts. Interestingly enough, that second tool needed access to the victim’s email box to work successfully, so Charming Kitten is expected to use Hyperscrape first before using the email data for more compromising tools like the Telegram account dump.
How to protect against this threat?
Using the Hyperscrape tool is only possible when the attacker already has valid credentials or a valid session cookie from the target mailbox.
Users should always completely disconnect from their mailbox when they are not using it. This greatly shortens the validity of the session cookie that may have been stolen.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Users must also use multi-factor authentication (MFA) to access their mailboxes. The second authentication channel should be one that the attacker cannot access, especially if the victim’s computer has been hacked.
The way Charming Kitten obtains valid email credentials or session cookies from their victims is unknown, but it seems difficult to collect session cookies other than using malware, so users should always keep security software up to date and patched on have their computers.
Finally, users should also always keep the operating system and all software up-to-date and patched to avoid being compromised by a common vulnerability.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.