The United Kingdom’s National Cyber Security Centre (NCSC) has issued a warning about Russian intelligence malware that hijacks email accounts and steals all sorts of data from victims.
According to the UK’s cybersecurity agency, Russian military intelligence actors have been using malicious software that was previously unknown, but has recently been dubbed AUTHENTIC ANTICS.
APT 28, a cyber threat group linked to Russia’s GRU 85th Main Special Service Centre, also known as Unit 26165, Fancy Bear, Forest Blizzard, and Blue Delta, is responsible for deploying the malware. However, how the malicious software is being distributed remains unclear.
An analysis of AUTHENTIC ANTICS shows that the malware has been specifically designed to enable persistent endpoint access to Microsoft cloud accounts by blending it with legitimate activity.
The malware periodically displays a login window prompt, asking the user to share their login credentials. It then intercepts these credentials, along with OAuth authentication tokens that allow access to Microsoft services such as Exchange Online, SharePoint, and OneDrive.
The malware also exfiltrates victims’ data by sending emails from the victims’ accounts to an actor-controlled email address without the emails showing in the “sent” folder.
According to the researchers, the developers paid close attention to designing the malware to blend in with legitimate Outlook activity. Therefore, it’s clear that the malware intends to gain persistent access to a victim’s email account.
“The malware cleverly exploits an increasing familiarity with Microsoft authentication prompts, including generating the prompt from within the Outlook process and ensuring the prompts are not displayed too often. Network communications are exclusively with legitimate services, which is less likely to stand out and much harder to detect,” the NCSC writes in its report on AUTHETIC ANTICS.
“The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. That’s why we’re taking decisive action with sanctions against Russian spies,” David Lammy, Secretary of State for Foreign, Commonwealth and Development Affairs, says in a statement.
Your email address will not be published. Required fields are markedmarked