Technical Details for New Charming Kitten Data Extraction Tool

The new HYPERSCRAPE data extraction tool developed by the Iranian Charming Kitten threat group eases the process of stealing email data from targeted accounts.
Technical Details for New Charming Kitten Data Extraction Tool
Share on twitter
Share on linkedin

The new HYPERSCRAPE data extraction tool developed by the Iranian Charming Kitten threat group eases the process of stealing email data from targeted accounts.

Context

On August 23, 2022, Google Threat Analysis Group (TAG) researchers published a technical analysis of a unique data extraction tool they named “HYPERSCRAPE” used by the Iranian state-backed Charming Kitten threat group. The tool allows attackers to steal data from Gmail, Yahoo, and Outlook accounts to which the attackers have already obtained credentials. According to Google researchers, HYPERSCRAPE is under active development and has only been deployed against fewer than 24 accounts inside Iranian borders.

Community Impact

For the retail, hospitality, and travel sectors, the Charming Kitten threat actor is typically not a major security concern because the group primarily conducts cyber espionage and destructive attacks against organizations with geopolitical rivalry to Iranian state interests.

However, organizations in the retail, hospitality, and travel sectors are advised to remain aware of tools produced by sophisticated advanced persistent threat (APT) groups because similar tools have historically been observed migrating into wider use by cyber threat actors, especially financially motivated cybercriminal groups, as in the case of NotPetya. According to Google researchers, “HYPERSCRAPE demonstrates Charming Kitten’s commitment to developing and maintaining purpose-built capabilities.” Thus, early recognition of and defense against tools developed by prominent APTs can help establish defenses for potential future threats.

In addition, organizations are advised to ingest the indicators of compromise (IOCs) provided by Google and included in this report.

Technical Details

After attackers have compromised targeted account credentials (which Charming Kitten typically accomplishes through sophisticated phishing operations), the next step is to hijack a valid authenticated user session by spoofing the user agent to impersonate an outdated browser. Once the account is compromised, HYPERSCRAPE changes the account language to English, downloads all messages as .eml files, and marks the messages as unread. After all messages are extracted, the tool changes the language back to original settings and deletes any security alert emails from Google. Earlier versions included a feature to request data from Google’s Takeout service.

HYPERSCRAPE is written using .NET for Windows and is run on the attacker’s machine instead of the victim’s, so only access to the target email account is needed. According to Google researchers, HYPERSCRAPE will only run in a directory where other file dependencies are present.

IOCs

Researchers at Google provided the following IOCS:

Indicator Type Notes
136[.]243[.]108[.]14 IP Address C2 Server
173[.]209[.]51[.]54 IP Address C2 Server
03d0e7ad4c12273a42e4c95d854408b98b0cf5ecf5f8c5ce05b24729b6f4e369 Hash HYPERSCRAPE Binaries
35a485972282b7e0e8e3a7a9cbf86ad93856378fd96cc8e230be5099c4b89208 Hash HYPERSCRAPE Binaries
5afc59cd2b39f988733eba427c8cf6e48bd2e9dc3d48a4db550655efe0dca798 Hash HYPERSCRAPE Binaries
6dc0600de00ba6574488472d5c48aa2a7b23a74ff1378d8aee6a93ea0ee7364f Hash HYPERSCRAPE Binaries
767bd025c8e7d36f64dbd636ce0f29e873d1e3ca415d5ad49053a68918fe89f4 Hash HYPERSCRAPE Binaries
977f0053690684eb509da27d5eec2a560311c084a4a133191ef387e110e8b85f Hash HYPERSCRAPE Binaries
ac8e59e8abeacf0885b451833726be3e8e2d9c88d21f27b16ebe00f00c1409e6 Hash HYPERSCRAPE Binaries
cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa Hash HYPERSCRAPE Binaries
1a831a79a932edd0398f46336712eff90ebb5164a189ef38c4dacc64ba84fe23 Hash Microsoft Live DLL

More Recent Blog Posts