Security News > 2022 > August > Google: Iranian hackers use new tool to steal email from victims
State-sponsored Iranian hacking group Charming Kitten has been using a new tool to download email messages from targeted Gmail, Yahoo, and Microsoft Outlook accounts.
Google TAG attributes the tool to Charming Kitten, an Iranian-backed group that is also known as APT35 and Phosphorus, and says that the earliest sample they found dates from 2020.
It is not a hacking tool but an instrument that helps the attacker steal email data and store it on their machine after logging into the victim's email account.
"Once logged in, the tool changes the account's language settings to English and iterates through the contents of the mailbox, individually downloading messages as.eml files and marking them unread" - Google TAG. When the exfiltration completes, Hyperscraper changes the language to the original setting and deleted the security alerts from Google for a minimum footprint.
Google TAG researchers say that older variants of Charming Kitten's utility could request data from Google Takeout, a service that allows users to export data from their Google account to back it up or to use it with a third-party service.
Google has observed Hyperscraper being used on a small number of accounts, "Fewer than two dozen," all belonging to users in Iran.
News URL
Related news
- Iranian hackers charged for ‘hack-and-leak’ plot to influence election (source)
- U.K. Hacker Charged in $3.75 Million Insider Trading Scheme Using Hacked Executive Emails (source)
- Google Pay alarms users with accidental ‘new card’ added emails (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- Iranian hackers act as brokers selling critical infrastructure access (source)
- Google Scholar has a 'verified email' for Sir Isaac Newton (source)
- Hackers exploit Roundcube webmail flaw to steal email, credentials (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)