Charming Kitten APT Wields New Scraper to Steal Email Inboxes

Google researchers say the nation-state hacking team is now employing a data-theft tool that targets Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials.

Photo of tabby kitten walking in a field of grass and wildflowers.
Source: Jakub Dvořák via Alamy Stock Photo

Iranian advanced persistent threat (APT) group Charming Kitten has a new data-scraping tool in its arsenal that claws emails from victim Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials, Google researchers have found.

A team from Google Threat Analysis Group (TAG) discovered the tool, dubbed Hyperscrape, last December and has been tracking it since then, it said in a new blog post.

The attacker poses as a legitimate user by either by initiating an authenticated user session that's been hijacked or via stolen credentials, and then runs the scraper to download victims' inboxes, TAG's Ajax Bash said in Google's post.

"It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail" by resulting in an error message, he explained.

If the attacker can't access the account this way, the tool displays a login page for manually entering credentials to proceed, with Hyperscrape waiting until it finds the victim's inbox page, according to Bash.

Hyperscrape appears to have been around since 2020, when its first samples were spotted. Charming Kitten — aka Phosphorus and myriad other names — continues to actively develop the tool. Attacks so far have been limited to less than two dozen accounts located in Iran, the researchers found.

Modus Operandi

Once logged in, Hyperscrape changes the account's language settings to English and goes through the contents of the mailbox, individually downloading messages as .eml files and marking them unread, Bash explained.

After downloading messages from the inbox, the tool reverts the language back to its original settings and deletes any security emails from Google. The tool is written in .Net for targeting Windows PCs and is designed to run on the attacker’s machine, he said.

Early versions of Hyperscrape included an option for actors to request data from Google Takeout, a feature that allows users to export their data to a downloadable archive file.

This feature would spawn a new copy of the tool and initialize a pipe communication channel to relay the cookies and account name, both of which are required to accomplish the export. Once received, the browser would navigate to the official Takeout link to request and eventually download the exfiltrated data.

The Takeout feature was never automated in the tool, however, and researchers said they’re not clear on why it was removed.

Google's researchers tested Hyperscrape specifically with a Gmail account, noting that functionality may differ for Yahoo or Microsoft email apps when under attack. Moreover, Hyperscrape won't run unless in a directory with other file dependencies, they explained.

Furthering Objectives

Charming Kitten is a prolific APT believed to be backed by government of Iran and known by a number of other names — including TA453, APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus.

The group — which first rose to prominence in 2018 — has been extremely active in the last several years and is best known for targeted cyber-espionage attacks against politicians, journalists, human-rights activists, researchers, scholars, and think tanks.

Some of the APT's more high-profile attacks occurred in 2020, when the group targeted the Trump and Biden presidential campaigns as well as attendees of two global geopolitical summits, the Munich Security Conference and the Think 20 (T20) Summit, in separate and various incidents.

While Hyperscrape doesn’t showcase anything groundbreaking as far as novel malware goes, it does show Charming Kitten's commitment to developing custom capabilities dedicated to a particular purpose, according to Bash.

"Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten’s objectives," he explained.

And while groups like Charming Kitten often have very targeted goals for their cybercriminal activity, Google TAG's disclosure and work with law enforcement against APTs is aimed at raising awareness within both the security community and targeted companies and communities, according to the blog post.

The company encourages high-risk users to enroll in its Advanced Protection Program (APP) and use Google Account Level Enhanced Safe Browsing to ensure a high level of protection against ongoing threats.

Read more about:

Black Hat News

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights