The Threat Analysis Group (TAG) at Google has uncovered a new tool named HYPERSPACE being used by the Iranian government-backed group Charming Kitten that can be used to infiltrate Gmail, Yahoo, and Outlook inboxes.
As per the report, HYPERSPACE was first developed in 2020 and has been used to gain access to less than two dozen accounts in 2021. The report says that these accounts were based in Iran, as per Google’s knowledge. There is no word on if the tool has been used to penetrate into other accounts based out of Iran.
Google’s TAG team says that they were able to obtain a version of this tool and analyse it to get know its technical sophistication. And as per the team that the tool is still under active development.
How does HYPERSPACE work
Google says that the tool runs on the attacker’s machine, which is then used to infiltrate users’ email accounts, but it needs pre-acquired credentials or cookie sessions.
So, this process does not need to spoof users from downloading any malware. However, they need the credentials or cookie sessions to initialise the attack. But the tool is much different from the social-engineered attacks we have seen in the past.
Once the attacker is logged into the email account, the tool spoofs the browser to believe that the client is being accessed through an old version, thus turning on the basic HTML view, and then the tool changes the language to English.
Soon the tool opens the emails one by one and downloads them in .eml format, and marks the email unread. The tool even deletes warning emails and changes the language back to default upon completion.
The tool is written in .NET for Windows PCs. The TAG team tested it on Gmail in a controlled environment. So, the functionality may differ for Outlook and Yahoo. Google says that it has informed all the victims through the Government Backed Attacker Warnings.
FacebookTwitterInstagramKOO APPYOUTUBE
