Google Uncovers Tool Used by Iranian Hackers to Steal Data

Google is one of the popular search engines that are offering services to the global population with data and a platform to put their businesses online. In recent reports, it’s been seen that Google has discovered something vicious that is done by Iranian Hackers to steal the confidential data of users and can break the rules of the Company’s Data Safety Policy.

A new tool was introduced by Charming Kitten (Iranian Government-Backed Actor) in its malware arsenal. It allows retrieving users’ data from several platforms’ accounts such as:

Gmail,
Yahoo!,
Microsoft Outlook accounts.

Google Threat Analysis Group (TAG) acknowledged these Tools by the name HYPERSCRAPE. According to Google, attackers used the oldest sample from the year 2020, on less than 2 dozen Accounts in Iran. This actively upgrading malicious software was first identified in December 2021.

Charming Kitten, (prolific advanced persistent threat)

It is assumed that this group is backed by Iran’s Islamic Revolutionary Guard Corps (IRGC). Moreover, it has a record of spying grouped with the government’s interests.

Groups that were seen doing ransomware attacks, were spotted by different names as:

APT35
Cobalt Illusion
ITG18
Phosphorus
TA453
Yellow Garuda

Suggestion to users is that the only straightforward goals of the adversary are spying and financially driven. This tool is powerful enough that allows attackers to steal the victims’ data from their inboxes without letting them know that they are being hacked by someone. This tool is not a hacking tool but more of an instrument that allows adversaries to after stealing the data stored on a machine while logged in to the victim’s email account.

Process of the Attack

Google TAG researcher Ajax Bash said

“HYPERSCRAPE requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired. Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten’s objectives.“

Watch related news : Click here Now!

Process of attack on users’ accounts

Written on .NET. This tool is customized to run on the attacker’s Windows machine.
It comes with a feature allowing downloading and exfiltrating the contents of a victim’s email inbox.
Moreover, it deletes security emails sent from Google to not let the target know of any suspicious logins.
New mails coming on Gmails shows as “unread.” The instrument used in hacking marks the messages as unread after opening and downloading the email as a “.eml” file.
Subsequently, previous versions of HYPERSCRAPE also had the option to request data from Google Takeout.
That’s the feature allowing users to export their data to a downloadable archive file.

Related Events, Telegram

This event followed the recent discovery of a C++-based Telegram “grabber” tool by PwC. That tool was used in contrast to domestic targets to get access to Telegram MSGs and contacts from specific Accounts.

Previously, the group was spotted deploying a custom Android surveillanceware called LittleLooter. That malware has the feature to gather confidential data stored in the victimized devices as well as record audio, video, and calls.

Actions Taken

Victimized accounts were handled carefully, re-secured, and just after that victims had been informed of the actions taken to do so. You see, there are a lot of techniques that the attackers might use to take advantage of your ignorance.

While you were relaxing and might be thinking data you saved online is secured on unknown sites or even popular sites might be in danger on such platforms. Attackers on such platforms could be planning to attack users’ accounts including yours from a distance far away.

Users are advised to keep their devices secured with malware protection software and don’t click on unknown links that may look genuine from the eyes. Be Secure, Learn More!

Watch more news :