Iranian APT Group Charming Kitten Updates Malware ArsenalTool Can Steal Gmail, Yahoo! and Microsoft Outlook Emails
An Iranian government-backed hacking group known as Charming Kitten has updated its malware arsenal to include an email inbox scraping tool, proof of the group's dedication to developing and maintaining purpose-built capabilities.
Google's Threat Analysis Group on Tuesday described how the tool, dubbed Hyperscrape, works. The hackers run it on their own machines to download emails from victim inboxes using previously acquired credentials and delete the activity from the application, it says.
Charming Kitten is also known as Phosphorus, TA453, APT35, Cobalt Illusion, ITG18 and Yellow Garuda. It has spied on journalists and activists since at least 2013.
Google first stumbled on the tool in December 2021 although the oldest known sample dates from the year before. Hyperscrape has been deployed against fewer than two dozen Iranian user accounts. "We have taken actions to re-secure these accounts and have notified the victims through our Government Backed Attacker Warnings," Google security engineer Ajax Bash says.
Hyperscrape requires the victim's account credentials to run using a valid, authenticated user session that the attacker has hijacked. "It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail," Bash says.
After launching, the tool makes an HTTP GET request to a command and control center handled by the operators and waits for a response body of "OK" and terminates the process if no response is observed.
Google says in the version it tested, the command and control was "unobfuscated and stored as a hardcoded string." In later versions was obfuscated with Base64. Base64 is used to encode binary data that needs to travel through some communication channel that allows only ASCII characters.
Hyperscrape changes the accounts language setting to English and begins iterating through all available mailboxes looking for emails to download and saves it as .eml files, corresponding to the subject. It creates a log file that contains a count of emails downloaded. If an email is originally unread, the tool marks it as unread again.
Once the downloading is finished, the tool reverts the language back to its original settings and deletes any security emails from Google.
Written in .NET for Windows PCs, Hyperscrape is designed in such a way that it runs on the attacker's machine and the functionality differs somewhat for Yahoo! and Microsoft accounts, Google says.