According to Google, the HYPERSCRAPE tool is used by a group of cybercriminals to siphon the contents of mailboxes on Gmail, Yahoo and Outlook. Currently, it would be used against users based in Iran, but its evolution is to be watched.
In a new publication, researchers from the team Google Threat Analysis issue an alert on this new tool called HYPERSCAPE and which has a very simple objective: to download all the e-mails from your mailbox, without your knowledge.
To perform this manipulation, hackers must have your credentials (e-mail address and password) or having previously stolen an authentication cookie. It means that hackers don’t need to compromise the target user’s machine to deploy malware since HYPERSCRAPE installs on the attacker’s machine.
Eventually, this step is necessary to recover the identifiers or an authentication cookie, in order to allow the attacker to siphon your mailbox later from his own machine. We can say that HYPERSCRAPE is the last link in the chain.
When acting, HYPERSCRAPE will take a few precautions to avoid suspicion and to remain invisible. First, he will delete any connection alerts receivedof style “New connection from location XYZ“. Then it will make sure that all unread emails remain in this stateto leave the mailbox in the same state as it was before the malicious intervention.
Automating this process involves using the English language, so HYPERSCRAPE will configure the mailbox to English, before switching back to the original language once exfiltrated data (in EML format). Additionally, it relies on a browser in an old version to force basic HTML display: this limits functionality.
Who is targeted by HYPERSCRAPE?
According to the analysis of Google researchers, this tool has caused about twenty victims, only in Iran. For the moment, it would not be used abroad, but it will be necessary to monitor its evolution. It would be used by members of the APT35 groupotherwise known as Charming Kitten, which is a group close to the Iranian government.
To be less vulnerable to this type of attack, you should activate multi-factor authentication on your various email accounts: the safest MFA method is to use a physical key.