HYPERSCRAPE Malware Steals Information

HYPERSCRAPE is the name of a piece of malware associated with a threat actor known under the aliases Charming Kitten, APT35 and Phosphorous.

Charming Kitten is believed to be an Iranian-based threat actor that receives government support. Their HYPERSCRAPE tool has been around for a while but has recently received a new update.

The original version of HYPERSCRAPE was discovered in late 2021 and was used as a cyberespionage tool against Iranian users. According to Google's security researchers with the company's Threat Analysis Group, HYPERSCRAPE will first need access to the user's credentials, which it uses to run a user session controlled and hijacked by the threat actor.

The command and control server used by HYPERSCRAPE was previously hardcoded into the malware as a simple string, which is now obfuscated using Base64 encoding in the updated variant of HYPERSCRAPE.

Once the threat actor is in control, the malware combs through the user's email inbox, exfiltrating .eml copies of the entries.

The malware is written and compiled in .NET and targets computers running Windows.

August 26, 2022