Jump to content
  • Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts

    aum

    • 274 views
    • 2 minutes
     Share


    • 274 views
    • 2 minutes

    The Iranian government-backed actor known as Charming Kitten has added a new tool to its malware arsenal that allows it to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts.


    Dubbed HYPERSCRAPE by Google Threat Analysis Group (TAG), the actively in-development malicious software is said to have been used against less than two dozen accounts in Iran, with the oldest known sample dating back to 2020. The tool was first discovered in December 2021.


    Charming Kitten, a prolific advanced persistent threat (APT), is believed to be associated with Iran's Islamic Revolutionary Guard Corps (IRGC) and has a history of conducting espionage aligned with the interests of the government.


    Tracked as APT35, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda, elements of the group have also carried out ransomware attacks, suggesting that the threat actor's motives are both espionage and financially driven.


    "HYPERSCRAPE requires the victim's account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired," Google TAG researcher Ajax Bash said.


    Written in .NET and designed to run on the attacker's Windows machine, the tool comes with functions to download and exfiltrate the contents of a victim's email inbox, in addition to deleting security emails sent from Google to alert the target of any suspicious logins.


    Should a message be originally unread, the tool marks it as unread after opening and downloading the email as a ".eml" file. What's more, earlier versions of HYPERSCRAPE are said to have included an option to request data from Google Takeout, a feature that allows users to export their data to a downloadable archive file.


    The findings follow the recent discovery of a C++-based Telegram "grabber" tool by PwC used against domestic targets to obtain access to Telegram messages and contacts from specific accounts.


    Previously, the group was spotted deploying a custom Android surveillanceware called LittleLooter, a feature-rich implant capable of gathering sensitive information stored in the compromised devices as well as recording audio, video, and calls.


    "Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten's objectives," Bash said. The affected accounts have since been re-secured and the victims notified.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...