A well-known and prolific attack group backed by the Iranian government has been using a custom tool to download the contents of Gmail, Yahoo Mail, and Outlook 365 inboxes remotely.
The tool is called HYPERSCRAPE and has been in use for at least two years by a group known as Charming Kitten and APT35. Researchers across the security community have been tracking this group for many years and it consistently conducts phishing campaigns against small, targeted groups of people that are designed to enable access to sensitive information and environments. Cyber espionage is the main aim of this group and its activities are closely aligned with the interests of the Iranian government.
Since December, Google’s elite Threat Analysis Group has been tracking APT35’s use of HYPERSCAPE to target users across three platforms and steal the contents of their email inboxes. The tool enables the attackers to grab inbox contents, ensure that any unread emails remain marked as such, and delete any emails from Google’s security teams about unusual activity. These processes are largely automated, and Google’s researchers said they have only seen the tool used against fewer than 24 accounts, all of which are owned by Iranian users. It is not a mass exploitation tool, but is used in highly targeted attacks against specific victims. Unlike a malware implant delivered via phishing and designed to stay resident on a victim’s machine, HYPERSCAPE runs on the attacker’s machine.
“HYPERSCRAPE requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired. It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail. Once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread,” Ajax Bash of Google TAG said in a blog post.
“After the program has finished downloading the inbox, it reverts the language back to its original settings and deletes any security emails from Google. Earlier versions contained the option to request data from Google Takeout, a feature which allows users to export their data to a downloadable archive file.”
HYPERSCRAPE has been under development since 2020 and Charming Kitten is still improving it and adding features. Once it’s installed, the tool reaches out to a command-and-control server and waits for a response. Once the response arrives, the tool is ready to use. The attacker can use the command line to send commands to HYPERSCRAPE or use the GUI forms that the tool will provide. The simplest method for the attacker to gain access to a target Gmail account is to provide a valid cookie.
“After parsing, the cookies are inserted into a local cache used by the embedded web browser. A new folder named "Download" is created adjacent to the main binary. The browser then navigates to Gmail to begin the data collection,” Bash said.
“The user agent is spoofed so it appears like an outdated browser, which results in an error message and allows the attacker to enable the basic HTML view in Gmail.”
If the attacker doesn’t have a valid cookie for the victim, the victim’s credentials are required. Once the attacker has access to the account via either method, HYPERSCRAPE goes through all of the tabs in the Gmail inbox, opens each message, downloads it, and marks it as uunread if it was originally marked as such. The tool will also delete any security alert emails sent by Google as a result of the unusual activity. Earlier versions of the tool also had the ability to request a victim’s data from Google through the Google Takeout feature, but that option isn’t present in current versions.
“HYPERSCRAPE demonstrates Charming Kitten’s commitment to developing and maintaining purpose-built capabilities,” Bash said.