Charming Kitten APT Wields New Scraper to Steal Email Inboxes

  /     /     /  
Publicated : 23/11/2024   Category : security


Charming Kitten APT Wields New Scraper to Steal Email Inboxes


Google researchers say the nation-state hacking team is now employing a data-theft tool that targets Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials.



Iranian advanced persistent threat (APT) group
Charming Kitten
has a new data-scraping tool in its arsenal that claws emails from victim Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials, Google researchers have found.
A team from Google Threat Analysis Group (TAG) discovered the tool, dubbed Hyperscrape, last December and has been tracking it since then, it said in
a new blog post
.
The attacker poses as a legitimate user by either by initiating an authenticated user session thats been hijacked or via stolen credentials, and then runs the scraper to download victims inboxes, TAGs Ajax Bash said in Googles post.
It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail by resulting in an error message, he explained.
If the attacker cant access the account this way, the tool displays a login page for manually entering credentials to proceed, with Hyperscrape waiting until it finds the victims inbox page, according to Bash.
Hyperscrape appears to have been around since 2020, when its first samples were spotted. Charming Kitten — aka Phosphorus and myriad other names — continues to actively develop the tool. Attacks so far have been limited to less than two dozen accounts located in Iran, the researchers found.
Modus Operandi
Once logged in, Hyperscrape changes the accounts language settings to English and goes through the contents of the mailbox, individually downloading messages as .eml files and marking them unread, Bash explained.
After downloading messages from the inbox, the tool reverts the language back to its original settings and deletes any security emails from Google. The tool is written in .Net for targeting Windows PCs and is designed to run on the attacker’s machine, he said.
Early versions of Hyperscrape included an option for actors to request data from Google Takeout, a feature that allows users to export their data to a downloadable archive file.
This feature would spawn a new copy of the tool and initialize a pipe communication channel to relay the cookies and account name, both of which are required to accomplish the export. Once received, the browser would navigate to the official Takeout link to request and eventually download the exfiltrated data.
The Takeout feature was never automated in the tool, however, and researchers said they’re not clear on why it was removed.
Googles researchers tested Hyperscrape specifically with a Gmail account, noting that functionality may differ for Yahoo or Microsoft email apps when under attack. Moreover, Hyperscrape wont run unless in a directory with other file dependencies, they explained.
Furthering Objectives
Charming Kitten is
a prolific APT
believed to be backed by government of Iran and known by a number of other names — including TA453, APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus.
The group — which first rose to prominence in 2018 — has been extremely active in the last several years and is best known for targeted cyber-espionage attacks against politicians, journalists, human-rights activists, researchers, scholars, and think tanks.
Some of the APTs more high-profile attacks occurred in 2020, when the group targeted the Trump and Biden presidential campaigns as well as attendees of two global geopolitical summits, the Munich Security Conference and the Think 20 (T20) Summit, in separate and various incidents.
While Hyperscrape doesn’t showcase anything groundbreaking as far as novel malware goes, it does show Charming Kittens commitment to developing custom capabilities dedicated to a particular purpose, according to Bash.
Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten’s objectives, he explained.
And while groups like Charming Kitten often have very targeted goals for their cybercriminal activity, Google TAGs disclosure and work with law enforcement against APTs is aimed at raising awareness within both the security community and targeted companies and communities, according to the blog post.
The company encourages high-risk users to enroll in its Advanced Protection Program (APP) and use Google Account Level Enhanced Safe Browsing to ensure a high level of protection against ongoing threats.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Charming Kitten APT Wields New Scraper to Steal Email Inboxes