Google’s Threat Analysis Group (TAG) managed to get a tool capable of downloading complete inboxes from popular platforms like Gmail, Microsoft Outlook, Yahoo and others. The tool, called HYPERSCAPE, has been used successfully to target yet unknown targets.
State-sponsored persistent threat groups appear to be using HYPERSCAPE to siphon off all the emails that accumulate in an inbox, and Google’s research team has managed to get a version of the tool. The team is running simulations to see how dangerous it is.
Google claims that HYPERSCAPE can run on the attacker’s terminal. In other words, victims don’t need to be tricked into downloading malware for the tool to do its job. Attackers, however, need access to their victims’ account credentials or session cookies. Attackers must first successfully log in to their victims’ accounts before they can deploy the tool.
It appears that the tool tricks the targeted email service into believing that it is accessible through an outdated browser. To ensure reliable functionality, the mail service is switching to the basic HTML view. This view limits functionality but guarantees email accessibility.
Once the tool forces an email service to switch to a basic HTML view, it changes the inbox language to English. Subsequently, HYPERSCAPE turns into a scraping tool. It starts opening emails one by one and downloads them in .eml format.
To evade detection, HYPERSCAPE ensures that previously unread emails are marked as such. After successfully downloading all emails, the tool deletes all warning emails, returns the language to its original state and disappears.
Currently, HYPERSCAPE appears to be targeting accounts located in Iran. However, it is quite possible for other threat groups to acquire the tool.