The new HYPERSCRAPE data extraction tool developed by the Iranian Charming Kitten threat group eases the process of stealing email data from targeted accounts.
Context
On August 23, 2022, Google Threat Analysis Group (TAG) researchers published a technical analysis of a unique data extraction tool they named “HYPERSCRAPE” used by the Iranian state-backed Charming Kitten threat group. The tool allows attackers to steal data from Gmail, Yahoo, and Outlook accounts to which the attackers have already obtained credentials. According to Google researchers, HYPERSCRAPE is under active development and has only been deployed against fewer than 24 accounts inside Iranian borders.
Community Impact
For the retail, hospitality, and travel sectors, the Charming Kitten threat actor is typically not a major security concern because the group primarily conducts cyber espionage and destructive attacks against organizations with geopolitical rivalry to Iranian state interests.
However, organizations in the retail, hospitality, and travel sectors are advised to remain aware of tools produced by sophisticated advanced persistent threat (APT) groups because similar tools have historically been observed migrating into wider use by cyber threat actors, especially financially motivated cybercriminal groups, as in the case of NotPetya. According to Google researchers, “HYPERSCRAPE demonstrates Charming Kitten’s commitment to developing and maintaining purpose-built capabilities.” Thus, early recognition of and defense against tools developed by prominent APTs can help establish defenses for potential future threats.
In addition, organizations are advised to ingest the indicators of compromise (IOCs) provided by Google and included in this report.
Technical Details
After attackers have compromised targeted account credentials (which Charming Kitten typically accomplishes through sophisticated phishing operations), the next step is to hijack a valid authenticated user session by spoofing the user agent to impersonate an outdated browser. Once the account is compromised, HYPERSCRAPE changes the account language to English, downloads all messages as .eml files, and marks the messages as unread. After all messages are extracted, the tool changes the language back to original settings and deletes any security alert emails from Google. Earlier versions included a feature to request data from Google’s Takeout service.
HYPERSCRAPE is written using .NET for Windows and is run on the attacker’s machine instead of the victim’s, so only access to the target email account is needed. According to Google researchers, HYPERSCRAPE will only run in a directory where other file dependencies are present.
IOCs
Researchers at Google provided the following IOCS:
| Indicator | Type | Notes |
| 136[.]243[.]108[.]14 | IP Address | C2 Server |
| 173[.]209[.]51[.]54 | IP Address | C2 Server |
| 03d0e7ad4c12273a42e4c95d854408b98b0cf5ecf5f8c5ce05b24729b6f4e369 | Hash | HYPERSCRAPE Binaries |
| 35a485972282b7e0e8e3a7a9cbf86ad93856378fd96cc8e230be5099c4b89208 | Hash | HYPERSCRAPE Binaries |
| 5afc59cd2b39f988733eba427c8cf6e48bd2e9dc3d48a4db550655efe0dca798 | Hash | HYPERSCRAPE Binaries |
| 6dc0600de00ba6574488472d5c48aa2a7b23a74ff1378d8aee6a93ea0ee7364f | Hash | HYPERSCRAPE Binaries |
| 767bd025c8e7d36f64dbd636ce0f29e873d1e3ca415d5ad49053a68918fe89f4 | Hash | HYPERSCRAPE Binaries |
| 977f0053690684eb509da27d5eec2a560311c084a4a133191ef387e110e8b85f | Hash | HYPERSCRAPE Binaries |
| ac8e59e8abeacf0885b451833726be3e8e2d9c88d21f27b16ebe00f00c1409e6 | Hash | HYPERSCRAPE Binaries |
| cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa | Hash | HYPERSCRAPE Binaries |
| 1a831a79a932edd0398f46336712eff90ebb5164a189ef38c4dacc64ba84fe23 | Hash | Microsoft Live DLL |
