Security News > 2022 > August > Google: Iranian hackers use new tool to steal email from victims
State-sponsored Iranian hacking group Charming Kitten has been using a new tool to download email messages from targeted Gmail, Yahoo, and Microsoft Outlook accounts.
Google TAG attributes the tool to Charming Kitten, an Iranian-backed group that is also known as APT35 and Phosphorus, and says that the earliest sample they found dates from 2020.
It is not a hacking tool but an instrument that helps the attacker steal email data and store it on their machine after logging into the victim's email account.
"Once logged in, the tool changes the account's language settings to English and iterates through the contents of the mailbox, individually downloading messages as.eml files and marking them unread" - Google TAG. When the exfiltration completes, Hyperscraper changes the language to the original setting and deleted the security alerts from Google for a minimum footprint.
Google TAG researchers say that older variants of Charming Kitten's utility could request data from Google Takeout, a service that allows users to export data from their Google account to back it up or to use it with a third-party service.
Google has observed Hyperscraper being used on a small number of accounts, "Fewer than two dozen," all belonging to users in Iran.
News URL
Related news
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses (source)
- Microsoft dangles $10K for hackers to hijack LLM email service (source)