Charming Kitten, also known as APT35 and Magic Hound, is a state-sponsored threat actor originating from Iran that has been active for about 10 years already. The threat actor has targeted government and military personnel, academics and journalists in the U.S. and Middle East. Their goal is cyberespionage.
APT35 might not be the most sophisticated APT threat actor in the wild, yet their tooling is robust and effective.
Google’s Threat Analysis Group (TAG) recently discovered a new tool named Hyperscrape which is able to steal data from mailboxes such as Gmail, Yahoo! or Microsoft Outlook.
What is Hyperscrape and how does it work?
Hyperscrape is a tool written for Windows systems in .NET. It is run on the attacker’s computer and allows, once in possession of valid email credentials or a valid session cookie, to quietly extract emails from mailboxes.
SEE: Mobile device security policy (TechRepublic Premium)
Once executed from a folder with specific file dependencies, the tool checks its connectivity to a particular command and control server; it will terminate if there is no connectivity. If everything is okay, the software opens an initial form to specify parameters (Figure A).
The parameters can also be provided in the command line. Once provided, the data is sent to the C2 for confirmation. A new form then appears, so the attacker can provide a valid cookie file unless they provided it via command line.
Hyperscrape then starts an embedded web browser and stores the cookies in a local cache used by that browser, which is configured to appear like an outdated browser. The browser then navigates to Gmail.
Gmail’s behavior in this case consists of providing an error message and leaving the possibility to use the “Basic HTML view” feature from the email service (Figure B).
If the session cookie fails at accessing the mailbox, the attacker is offered the ability to manually enter valid credentials in the browser.
Once successfully connected to the mailbox, the software checks for the Gmail language and sets it to English if it is not, while saving the current language parameter to restore it once the theft operation is done.
The tool then automatically checks all available tabs in the inbox, downloading every email it finds and setting it to the unread status again if necessary.
All emails are saved locally in a Downloads folder, the filename corresponding to the email subject. A log file is also generated (Figure C).
Once all emails have been dumped, the software sends status and system information to the C2 server and deletes any security email from Google that might have been generated by the tool’s activity.
Google researchers also discovered earlier versions of the tool, which allowed attackers to download data from Google TakeOut, a Google service made for their customers to download data from various Google services such as Gmail, Google Documents, Google Calendar and more.
In the case of Takeout, the tool would spawn a new copy of itself and initialize a pipe communication channel to replay the cookies and account name to the service and navigate to the legitimate Takeout link, with the goal of requesting and eventually downloading the data. It is unclear to researchers why that functionality has disappeared in later versions of the Hyperscrape tool.
Google researchers analyzed the tool in a controlled environment with a test Gmail account. They indicate that functionality may differ for Yahoo! or Microsoft accounts.
In addition to the Hyperscrape tool, PwC reported in July 2022 another tool used and probably developed by the threat actor, which allowed the theft of targeted Telegram accounts. Interestingly enough, that second tool needed an access to the email box of the victim to successfully work, so it is expected that Charming Kitten first operates Hyperscrape before using the email data for more compromising tools like the Telegram account dump.
How to protect from this threat?
The use of the Hyperscrape tool is only possible when the attacker is already in possession of valid credentials or a valid session cookie of the targeted mailbox.
Users should always fully disconnect from their mailbox when they do not use it. This highly reduces the time of validity of the session cookie that might have been stolen.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Users should also use multi-factor authentication (MFA) to access their mailboxes. The second channel of authentication should be one that the attacker cannot access, especially if the victim’s computer is compromised.
The way Charming Kitten obtains valid email credentials or session cookies from their victims is not known, yet it seems difficult to collect session cookies via other ways than using malware, so users should always have security software up to date and patched on their computer.
Finally, users should also always keep the operating system and all software up to date and patched in order to avoid being compromised by a common vulnerability.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.