Google’s Threat Analysis Group (TAG) recently reported on Hyperscrape, a new data extraction tool used by the Iranian nexus threat actor group Charming Kitten.
- Hyperscrape is a data extraction tool used to steal emails.
- Affected services include Gmail, Yahoo, and Outlook.
- Hyperscrape is written in .NET and targets Windows machines.
Google’s TAG discovered Hyperscrape in late 2021. Hyperscrape is a data extraction tool or scraper. Charming Kitten has used Hyperscrape since at least 2020 to steal user data from Gmail, Yahoo, and Outlook accounts, using previously harvested credentials.
Hyperscrape is written in .NET and targets Windows machines. Hyperscrape must have access to a victim’s account credentials to run. Threat actors can access these accounts by hijacking a valid, authenticated user session or by using previously acquired credentials.
In the sample Google’s TAG analyzed, Hyperscrape spoofs the user agent to masquerade as an outdated browser, enabling basic HTML view in Gmail. Once Hyperscrape has access to a victim’s account, it changes the account language settings to English and scans the contents of the mailbox, downloading emails as .eml files then marking previously unread messages as unread. Once messages are downloaded, Hyperscrape returns the language settings to those chosen by the victim and deletes any security emails sent by Google. Some versions included the option to request data from Google Takeout, allowing threat actors to obtain a downloadable archive file of the victim’s data.
Who is Charming Kitten?
Charming Kitten, also known as APT35, Phosphorus, Newscaster, TA453, Cobalt Illusion, Magic Hound, and ITG18, is an Iran nexus state-sponsored threat actor group tentatively linked to the Islamic Revolutionary Guard Corps. Charming Kitten has previously targeted government and military personnel, academics, journalists, and the World Health Organization. Targets were primarily located in the US and the Middle East. The group has been active since at least 2014.
Charming Kitten TTPs include but are not limited to social engineering, use of compromised email accounts, targeted phishing attacks, using Amazon S3 buckets and IRC for C2, leveraging Log4j vulnerabilities, watering hole attacks, Havij, sqlmap, Metasploit, Mimikatz, CharmPower, DownPaper, PsExec, and Pupy. Charming Kitten is known for its moderate skill level, easily recognizable TTPs, an expansive infrastructure, and notoriously sloppy OPSEC.
PolySwarm has multiple samples of Hyperscrape.
You can use the following CLI command to search for all Hyperscrape samples in our portal:
$ polyswarm link list -f Hyperscrape
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports