Google Discovers Iranian Hacking Tool that Steals Data from Email Accounts
An Iranian-backed actor that goes by the name of “Charming Kitty” has added a new tool to their malware arsenal. This tool, dubbed “HYPERSCRAPE” by the Google Threat Analysis Group (TAG), can retrieve user data from Gmail, Yahoo! And Microsoft Outlook accounts.
The malicious software is active and in-development, and is said to have been used against almost two dozen accounts in Iran, with the oldest known dating back to 2020. The tool was first discovered in December 2021.
Charming Kitten, a prolific Advanced Persistent Threat (APT), is believed to be associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) and has historically conducted espionage to align with the interested of the Iranian government.
IRGC is also tracked as APT35, Cobalt Illusion, ITG18, Phosphorus, TA453 and Yellow Garuda. The group has also carried out ransomware attacks, which suggests that their motives are both espionage and financially driven.
“HYPERSCRAPE requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired,” Google TAG researcher Ajax Bash said.
The software is written in .NET and designed to run on the attacker’s Windows machine. The malicious tool also comes with functions to download and exfiltrate the contents of the victim’s email inbox. Additionally, it deletes security emails Google will send to alert the user of suspicious logins.
The tool marks the message as unread after opening, and downloads it as a ”.eml” file. Earlier versions of the software are said to have included an option that would request data from Google Takeout, a feature that would allow users to export their data to a downloadable archive file.
Previously, the IRGC was found to deploy a custom Android surveillanceware called “LittleLooter”, a feature-rich implant capable of gathering sensitive information stored in the compromised devices. The software also recorded audio, video and calls.
“Like much of their tooling, HYPERSCAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten’s objectives,” Bash said. The owners of affected accounts have been notified and the accounts have been secured.
Story via The Hacker News