Threat Database Malware HYPERSCRAPE Malware


The HYPERSCRAPE Malware is an info-stealer threat connected to the activities of the APT (Advanced Persistent Threat) group tracked as Charming Kitten (APT35). Charming Kitten is believed to be backed by the Iranian government. As for HYPERSCRAPE, it is a threat written in .NET for Windows PCs and its primary goal is to collect information from the victim's Gmail, Yahoo! and Microsoft Outlook accounts. Details about HYPERSCRAPE and its behavior were released in a report by Google's Threat Analysis Group (TAG). The researchers also stated that around a dozen victims of the threat located in Iran have been identified.

To perform its threatening functions, HYPERSCRAPE requires the login credentials for the specific account to have already been compromised and obtained by the threat actors. Once it has managed to successfully access the victim's account, the threat's first action is to check the current language and switch it to English, if necessary. HYPERSCRAPE will then begin to iterate through different tabs of the inbox, looking for emails to download. Whenever such an email is found, the threat will click to open it before starting a download. To mask its actions, HYPERSCRAPE returns any initially unread emails to their original state. The malware also can delete any security emails received from Google.

Downloaded emails are saved in the 'Downloads' directory as files with '.eml' extensions. A log keeping tabs on the total count of downloaded emails also is created. When its current run is finished, the threat makes an HTTP POST request to its Command-and-Control (C2, C&C) server, transmitting status and system information but not the downloaded emails.

HYPERSCRAPE is a novel malware threat that is run on the attacker's machine. Furthermore, it is still under active development and its functionality and set of features could be expanded or changed in the future. After all, earlier versions of the threat were able to request data from Google Takeout, but the hackers removed this functionality for unknown reasons.


Most Viewed