Iranian malware steals user data from Gmail, Yahoo!, and Microsoft Outlook
A malicious actor known as Charming Kitten — backed by the Iranian government — has developed a new malware tool that pulls user data from victims’ Gmail, Yahoo!, and Microsoft Outlook accounts.
According to a blog post from Google’s Threat Analysis Group (TAG), the malicious tool has been used against fewer than two dozen email accounts in Iran, with the first example dating back to 2020.
The tool, which TAG dubbed Hyperscrape, was first discovered in December 2021, and the threat actor behind the software is believed to be associated with Iran’s Revolutionary Guard Corps.
Charming Kitten has a history of carrying out espionage in line with the interests of the Iranian government.
Google TAG researcher Ajax Bash explained that the attack requires the victim’s account credentials to pull data.
“Hyperscrape requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired,” Bash said.
The tool includes functions to download and extract the contents of a victim’s inbox, and it deletes security emails from Google sent to notify the victim of suspicious activity.
Hyperscrape goes so far as to open and download unread emails and then marks them as unread again once it has extracted the information.
Bash emphasised the tool is not notable for its technical sophistication but rather its effectiveness in achieving Charming Kitten’s objectives.