Authentic Antics is a sophisticated malware strain targeting the Windows Operating System, particularly focusing on Microsoft Outlook. Its main objective is to steal login credentials and OAuth 2.0 tokens related to email accounts, allowing cyber attackers to gain unauthorized access to victims’ mailboxes.
Key characteristics and techniques of Authentic Antics:
- Runs within the Outlook process, displaying fake login prompts to trick users into entering their credentials and OAuth tokens, which are then harvested by the malware.
- Uses advanced defense evasion methods, including environmental keying and removing hooks from system files, to avoid detection.
- Masquerades as the Microsoft Authentication Library (MSAL) for .NET, embedding malicious alterations within what appears to be legitimate authentication code.
- Maintains stealth by only communicating with legitimate online services and exfiltrates stolen credentials by sending emails from the victim’s account directly to an attacker-controlled address; these emails are hidden from the victim’s sent folder.
- No direct command-and-control communication: Once deployed, the malware operates autonomously and does not receive further instructions, making it harder to detect and disrupt remotely.
- Persistence is achieved through COM hijacking and periodic execution (once every six days) using a specific registry mechanism.
Attribution:
- The UK National Cyber Security Centre (NCSC) has formally attributed Authentic Antics to Russia’s military cyber unit, GRU (APT28, also known as Fancy Bear). The tool has been used for intelligence-gathering campaigns targeting western organizations and governments.