Information about a new threat to Google and its users was disclosed in a report published by Google’s Threat Analysis Group (TAG). The threat was a new tool called HYPERSCAPE, used by an Iranian government-backed group that goes by the name ‘Charming Kitten’, which targets high risk users.
According to the report, HYPERSCAPE was primarily used to “steal data from Gmail, Yahoo! and Microsoft Outlook accounts.”
News reports and hacker watch groups reveal HYPERSCAPE has been around since 2020—the first time this data-theft tool was discovered by watchers of advanced persistent threat (APT) groups. The fact that HYPERSCAPE is still being used was revealed by Google in its latest blog post.
What is important is that HYPERSCAPE as a data-theft tool is being constantly updated to make it more customised and target-oriented.
According to the blog post, the group running this malware runs HYPERSCAPE on their system and then downloads the inboxes of the victims using the credentials it previously stole. The report confirms that the tool has already been deployed against “fewer than two dozen accounts located in Iran.”
However, TAG claims to have taken required actions to re-secure the concerned accounts. TAG researchers said that the hacking team employed the data-theft tool to target TAG discovered a tool of the ‘Charming Kitten’ in December 2021 called ‘HYPERSCAPE’.
While HYPERSCAPE is certainly dangerous for those under its target, based on the report, only a few accounts have been compromised so far, all of which were based in Iran. As the “tool is still under active development,” it is essential to understand the basic functioning of the HYPERSCAPE.
For setting up, HYPERSCAPE needs to acquire valid user credentials. Using the credentials to log in, the attacker changes the language of the account to English and then surfs through the mailbox of the victim, downloads files and messages from the same. After it has achieved the required data, the tool reverts the system settings, changing the language back to the original one and marking all the mails as unread. Moreover, it also deletes any security messages that the account would have received.
Upon testing the tool in a controlled environment, using a test Gmail account, TAG discovered that “HYPERSCAPE won’t run unless in a directory with other file dependencies.” Though TAG expressed its “commitment” to protect users from attackers like ‘Charming Cat’, it also “encourages high-risk users to enrol in their Advanced Protection Program (APP) and utilize Google Account Level Enhanced Safe Browsing to ensure they have the greatest level of protection in the face of ongoing threats.”