HYPERSCRAPE Detection: Iranian Cyberespionage Group APT35 Uses a Custom Tool to Steal User Data

The malicious campaigns of the Iran-backed APT34 hacking collective also tracked as Charming Kitten, have been causing a stir in the cyber threat arena in 2022, including the cyber-attacks exploiting Microsoft Exchange ProxyShell vulnerabilities. In late August 2022, cybersecurity researchers revealed the ongoing malicious activity posing a serious threat to Gmail, Yahoo!, and Microsoft Outlook users. In these attacks, the Iranian cyberespionage group has been leveraging a custom data exfiltration tool named HYPERSCRAPE, which has been under active development since 2020. HYPERSCRAPE runs on the attackers’ devices, enabling them to download the contents of compromised email inboxes with stolen credentials. 

Detect HYPERSCRAPE Data Exfiltration Tool

With the constantly growing number of state-sponsored APT groups, increased sophistication of their offensive toolkit, and exploitation of disparate attack vectors, cyber defenders strive to proactively defend against emerging attacks and timely identify adversary behavior. SOC Prime’s Detection as Code platform curates a set of Sigma rules to help cybersecurity professionals instantly spot the malicious behavior of the APT35 Iran-linked group leveraging their novel HYPERSCRAPE tool designed to steal user data. Both Sigma rules are crafted by our keen Threat Bounty Program developers, Zaw Min Htun (ZETA) and Onur Atali, and are available with translations to the industry-leading SIEM, EDR, and XDR formats. Cybersecurity practitioners can gain instant access to these context-enriched detection algorithms right from SOC Prime’s Cyber Threats Search Engine by following the links below:

Possible detection of HYPERSCRAPE tool used by Iranian APT

Iranian APT Data Extraction HYPERSCRAPE Tool Detect (via file_event)

The latter Sigma rule provided by Onur Atali detects the malicious HYPERSCRAPE tool file activity. The detection is aligned with the MITRE ATT&CK® framework version addressing the Execution tactic along with Inter-Process Communication (T1559) leveraged as its primary technique. 

Seasoned and aspiring Threat Hunters and Detection Engineers are welcome to tap into the power of collaborative cyber defense by joining the SOC Prime Threat Bounty Program, author their detection content, and monetize their professional skills.

To boost cyber response capabilities, registered SOC Prime users can gain access to the entire collection of Sigma rules for detection of the suspicious activity attributed to the Iranian hacker group APT35 aka Charming Kitten. Click the Detect & Hunt button to reach the dedicated high-quality alerts and threat hunting queries. For insightful contextual information related to data exfiltration attacks with the Iranian tool dubbed Hyperscrape, click the Explore Threat Context button, and drill down to the list of relevant Sigma rules accompanied by comprehensive metadata — instantly and without registration.

Detect & Hunt Explore Threat Context

What is HYPERSCRAPE?

Cybersecurity researchers from Google’s Threat Analysis Group have been keeping track of the activity of the infamous Iranian cyberespionage group APT35 aka Charming Kitten, known to steal user data, deploy malware, and apply multiple attack vectors in their malicious campaigns. The Iranian APT has constantly been evolving its adversary toolkit enriching it with sophisticated tools and techniques. The novel custom data exfiltration tool dubbed HYPERSCRAPE is designed to steal contents from the accounts of Gmail, Yahoo!, and Microsoft Outlook users. 

HYPERSCRAPE is a custom malware sample written in .NET able to grab sensitive data from victims’ mailboxes, once valid email credentials or a session cookie are in attackers’ possession. Adversaries leverage the tool for highly targeted attack surfing across the mailbox after hijacking an authenticated user session. Notably, HYPERSCRAPE largely automates the data dumping routine while ensuring that all compromised emails remain marked unread and all Google security alerts are deleted. 

Join SOC Prime’s Detection as Code platform to keep abreast of the latest threats and combat attacks of any scale and sophistication, including the adversary campaigns launched by state-sponsored APT groups that are currently on the rise. Looking for self-advancement opportunities? Join the ranks of SOC Prime’s Threat Bounty crowdsourced initiative to hone your Detection Engineering and Threat Hunting skills by crafting Sigma and YARA rules, sharing them with the global cybersecurity community, and earning financial rewards for your input.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts