The UK National Cyber Security Centre (NCSC) has formally attributed ‘Authentic Antics’ espionage malware attacks to APT28 (Fancy Bear), a threat actor already linked to Russia’s military intelligence service (GRU).
The NCSC revealed in a detailed technical analysis of the Authentic Antics malware dated May 6th that it is stealing credentials and OAuth 2.0 tokens that allow access to a target's email account.
The malware was observed in use in 2023 and runs inside the Outlook process and produces multiple Microsoft login prompts in its attempts to intercept the victim's sign-in data and authorization code.
The agency says that because Microsoft 365 apps are configurable per tenant, it is possible that sensitive data also works for Exchange Online, SharePoint, and OneDrive.
Authentic Antics exfiltrates the stolen data by using the victim’s own Outlook account to send it to an attacker-controlled email address, and hides the operation by disabling the “save to sent” option.
The fake login prompt served to the target
Source: NCSC
Authentic Antics consists of multiple components that include a dropper, an infostealer, and several PowerShell scripts.
The UK cyber agency says that Authentic Antics has a high level of sophistication that allows it to provide access to victim email accounts for long periods without being detected.
This is possible because the malware's network communication is only with legitimate services. Furthermore, since it sends the victim's email messages automatically to the attacker, it does not require a command-and-control (C2) server to receive tasks.
... continue reading