Google’s Threat Analysis Group (TAG) has managed to obtain a tool that can download complete email inboxes of popular platforms such as Gmail, Microsoft Outlook, Yahoo, and others. The tool, called HYPERSCAPE has been successfully used to target as-yet-unknown targets.
State-sponsored persistent threat groups seem to be using HYPERSCAPE to siphon off all the emails that accumulate in an inbox, and Google’s research team managed to obtain a version of the tool. The team is currently running simulations to see just how dangerous it is.
Google claims HYPERSCAPE can work on the attacker’s endpoint. In other words, victims don’t have to be tricked into downloading any malware for the tool to do its job. The attackers, however, do need access to account credentials or the session cookies of their victims. The attackers first need to successfully log into their victims' accounts before they can deploy the tool.
It appears the tool tricks the targeted email service into thinking it’s being accessed via an outdated browser. To ensure reliable functionality, the email service switches to the basic HTML view. This view limits features but ensures emails are accessible.
Once the tool forces an email service to switch to a basic HTML view, it will change the inbox’s language to English. Thereafter, HYPERSCAPE transforms into a scraping tool. It starts opening emails one by one and downloads them into the .eml format.
To evade detection, HYPERSCAPE ensures previously unread emails are marked as such. After successfully downloading all emails, the tool deletes any warning emails, reverts the language back to its original state, and disappears.
Currently, HYPERSCAPE seems to be targeting accounts that are located in Iran. However, it is quite possible that other threat groups might acquire the tool.