CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs
by Bill Toulas · BleepingComputerA new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices.
The malware was discovered in an intrusion that was active since at least January and researchers believe the threat actor's purpose was to steal credentials and temporary passcodes.
Microsoft Phone Link comes installed on Windows 10 and 11, and allows using the computer to make and take calls, respond to texts, or view notifications received on the mobile device (Android and iOS).
By leveraging the application, the threat actor could intercept sensistive messages delivered to the target's mobile phone without compromising the device.
Cisco Talos researchers say in a report today that Pheno monitors for active Phone Link sessions and accesses its local SQLite database, which may contain SMS and one-time passwords (OTPs).
This gives the attacker access to sensitive information without needing to comprmise the mobile device.
“With a confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages,” explain Cisco Talos researchers.
Source: Cisco Talos
Besides the capabilities present in the Pheno plugin, CloudZ can target data stored on web browsers, profile host systems, and execute commands for:
- File management operations (delete, download and write)
- Shell command execution
- Start screen recording
- Plugin management (load, remove, save to disk)
- Terminate the RAT process
Cisco reports that CloudZ rotates between three hardcoded user-agent strings to make HTTP traffic appear as legitimate browser requests. Each HTTP request includes anti-caching headers to prevent proxies/CDNs from caching C2 or staging-server details.
The researchers haven’t identified the initial access vector, but they found that the infection starts when the victim executes a fake ScreenConnect update, which drops a Rust-based loader. This is followed by the deployment of a .NET loader, which installs CloudZ RAT and establishes persistence via a scheduled task.
The .NET loader also includes anti-analysis checks, such as time-based sandbox evasion steps, checks for analysis tools like Wireshark, Fiddler, Procmon, and Sysmon, and checks for VM- and sandbox-related strings.
Source: Cisco Talos
To defend against such attacks, users should avoid SMS-based OTP services and use authenticator apps that do not require push notifications that could be intercepted.. For more sensitive information, it is recommended to switch to using phishing-resistant solutions such as hardware keys.
Cisco Talos has published a set of indicators of compromise, including URLs, hashes for malicious components, domains, and IP addresses, which defenders can use to protect their environments.
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.