Executive Summary
Google’s Threat Analysis Group (TAG) recently reported on Hyperscrape, a new data extraction tool used by the Iranian nexus threat actor group Charming Kitten.
Key Takeaways
- Hyperscrape is a data extraction tool used to steal emails.
- Affected services include Gmail, Yahoo, and Outlook.
- Hyperscrape is written in .NET and targets Windows machines.
What is Hyperscrape?
Google’s TAG discovered Hyperscrape in late 2021. Hyperscrape is a data extraction tool or scraper. Charming Kitten has used Hyperscrape since at least 2020 to steal user data from Gmail, Yahoo, and Outlook accounts, using previously harvested credentials.
Hyperscrape is written in .NET and targets Windows machines. Hyperscrape must have access to a victim’s account credentials to run. Threat actors can access these accounts by hijacking a valid, authenticated user session or by using previously acquired credentials.
In the sample Google’s TAG analyzed, Hyperscrape spoofs the user agent to masquerade as an outdated browser, enabling basic HTML view in Gmail. Once Hyperscrape has access to a victim’s account, it changes the account language settings to English and scans the contents of the mailbox, downloading emails as .eml files then marking previously unread messages as unread. Once messages are downloaded, Hyperscrape returns the language settings to those chosen by the victim and deletes any security emails sent by Google. Some versions included the option to request data from Google Takeout, allowing threat actors to obtain a downloadable archive file of the victim’s data.
Who is Charming Kitten?
Charming Kitten, also known as APT35, Phosphorus, Newscaster, TA453, Cobalt Illusion, Magic Hound, and ITG18, is an Iran nexus state-sponsored threat actor group tentatively linked to the Islamic Revolutionary Guard Corps. Charming Kitten has previously targeted government and military personnel, academics, journalists, and the World Health Organization. Targets were primarily located in the US and the Middle East. The group has been active since at least 2014.
Charming Kitten TTPs include but are not limited to social engineering, use of compromised email accounts, targeted phishing attacks, using Amazon S3 buckets and IRC for C2, leveraging Log4j vulnerabilities, watering hole attacks, Havij, sqlmap, Metasploit, Mimikatz, CharmPower, DownPaper, PsExec, and Pupy. Charming Kitten is known for its moderate skill level, easily recognizable TTPs, an expansive infrastructure, and notoriously sloppy OPSEC.
IOCs
PolySwarm has multiple samples of Hyperscrape.
03d0e7ad4c12273a42e4c95d854408b98b0cf5ecf5f8c5ce05b24729b6f4e369
35a485972282b7e0e8e3a7a9cbf86ad93856378fd96cc8e230be5099c4b89208
5afc59cd2b39f988733eba427c8cf6e48bd2e9dc3d48a4db550655efe0dca798
767bd025c8e7d36f64dbd636ce0f29e873d1e3ca415d5ad49053a68918fe89f4
ac8e59e8abeacf0885b451833726be3e8e2d9c88d21f27b16ebe00f00c1409e6
cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa
You can use the following CLI command to search for all Hyperscrape samples in our portal:
$ polyswarm link list -f Hyperscrape
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports