Iranian Hackers Use Specialized Tool To Steal People's Emails, Google Found

While more and more people communicate through social media platforms and messaging apps, emails are still being used by lots of people, professionally.

Hackers that know this, are utilizing the fact to scrape people's inboxes, right under their noses. The tool they use, called 'HYPERSCAPE', can be used to steal data from mailboxes such as Gmail, Yahoo! or Microsoft Outlook.

The team at Google’s Threat Analysis Group (TAG) who managed to obtain the tool, reported their finding, and ran simulation to see how dangerous the tool really is.

And here, the team realized that HYPERSCAPE can read off all the emails that accumulate in a target's inbox, by siphoning them.

HYPERSCRAPE
HYPERSCRAPE file metadata. (Credit: Google)

In other words, HYPERSCAPE isn't a hacking tool but instead, is an instrument that helps attackers steal email data and store it on their machine.

To make this tool work, the attackers must first steal victims' login credentials. This can be done through numerous methods, typically by stealing them.

After that, the tool essentially spoofs victims' browsers' user agent to mimic an outdated web browser.

This makes web pages to appear in basic HTML, making it seem that the browser cannot run any CSS or JavaScript.

The tool will change the language to English if it is not already, and start scraping everything.

HYPERSCAPE works by opening emails one by one and downloads them into the .eml.

To evade detection, HYPERSCAPE ensures previously unread emails are marked as such. After successfully downloading all emails, the tool deletes any warning emails, reverts the language back to its original state, and disappears.

Another way of saying it, stealing people's emails doesn't involve tricking victims into downloading any malware.

What attackers need to do, is tricking victims into believing that they are accessing their email through an outdated browser.

According to report by Google’s TAG, the tool is being used by Charming Kitten, or also known as APT-35 and Magic Hound, a state-sponsored threat actor originating from Iran.

The threat actors have been targeting governments and military personnel, as well as academics and journalists in the U.S. and the Middle East.

Their main goal, is conducting espionage, in order to spy and gather information.

[block:block=87]

HYPERSCRAPE
The error page from using an unsupported browser. (Credit: Google)

While the APT-35 doesn't make headlines as frequent as some others, and may not be the most sophisticated APT threat actor in the wild, the tools they use is found to be robust and highly effective.

When Google discovered the tool, HYPERSCAPE only targets accounts that are located in Iran.

According to its report, the tool is developed for Windows systems in .NET.

"We tested HYPERSCRAPE in a controlled environment with a test Gmail Account, although functionality may differ for Yahoo! and Microsoft accounts. HYPERSCRAPE won't run unless in a directory with other file dependencies," the team at Google said.

It's worth noting that the researchers at Google also discovered earlier versions of the tool, which allowed attackers to download data from Google TakeOut, a Google service made for their customers to download data from various Google services such as Gmail, Google Documents, Google Calendar and more.

For its part, Google took action to secure the affected accounts and notify the victims.