The UK NCSC attributes the Authentic Antics espionage malware to APT28 (Fancy Bear), linked to Russia’s GRU. The malware steals credentials and OAuth tokens from Microsoft 365 accounts, allowing long-term access without detection. #APT28 #FancyBear
Keypoints
- Authentic Antics malware is used for espionage against email systems linked to Microsoft 365.
- The malware operates within Outlook, stealing sign-in data and authorization tokens.
- It communicates only with legitimate services, avoiding detection and requiring no C2 server.
- UK authorities link the malware to the Russian APT28 group and have sanctioned related units and individuals.
- The malware includes components like a dropper, infostealer, and PowerShell scripts, demonstrating high sophistication.