Google’s Threat Analysis Group (TAG) managed to obtain a version of the tool and thinks it is pretty dangerous.
Dubbed HYPERSCAPE the tool was built in 2020 by the government-backed hacker group who thought the name Charming Kitten sounded fearsome.
The tool works on the attacker’s endpoint, which sounds rather painful for the Iranians, but means victims don’t have to be tricked into downloading any malware. However, the kittens do need to steal account credentials or session cookies and then log into their account.
While this sounds like most of the work is done, your average kitten cannot be bothered going through every email and just wants to download the juicy bits.
The tool will trick the email service into thinking it’s being accessed via an outdated browser, and will switch to the basic HTML view. After that, it will change the inbox’s language to English, start opening emails one by one, and download them into the .eml format. Email messages that were marked as unread before the attack will be marked as unread afterward as well. Any warning emails will be deleted and the account revert to its original state and the kittens will make a hasty exit.
Apparently, the tool has so far been used against no more than two dozen accounts, located in Iran. Google says it notified all of them via its Government Backed Attacker Warnings. The tool was written in .NET for Windows PCs, TAG added, saying it tested it with Gmail, “although functionality may differ for Yahoo! and Microsoft accounts".