The Iran-backed nation state threat actor Charming Kitten has been reported using a new tool which allows them to download and steal emails from Gmail, Yahoo, and Microsoft Outlook. For the attack to work, the threat actor must first acquire credentials for the account that is being targeted. After initial access is obtained, the threat actors utilized a tool named HYPERSCRAPE, which was identified by Google TAG last December. This malware appears to have been deployed and under active development since 2020. Once logged in, the tool changes the default language to English and individually downloads the emails within the mailbox. After the download is complete, the default language is reverted to its original, and all security email warnings are deleted. HYPERSCRAPE is written in .NET in order to target Windows PCs, and is designed to run on the attacker’s machine.
Analyst Notes
Without access to the target email account, the threat group is unable to steal any emails. It is important to follow best practices when securing email account including using a strong password that is not being reused on any other account, and enabling Two-Factor-Authentication (2FA).
https://www.darkreading.com/endpoint/charming-kitten-apt-wields-new-scraper-to-steal-email-inboxes
