GoKawiilA new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices.
The malware was discovered in an intrusion that was active since at least January and researchers believe the threat actor's purpose was to steal credentials and temporary passcodes.
Microsoft Phone Link comes installed on Windows 10 and 11, and allows using the computer to make and take calls, respond to texts, or view notifications received on the mobile device (Android and iOS).
By leveraging the application, the threat actor could intercept sensistive messages delivered to the target's mobile phone without compromising the device.
Cisco Talos researchers say in a report today that Pheno monitors for active Phone Link sessions and accesses its local SQLite database, which may contain SMS and one-time passwords (OTPs).
This gives the attacker access to sensitive information without needing to comprmise the mobile device.
“With a confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages,” explain Cisco Talos researchers.
Pheno scanning for active phone links
Source: Cisco Talos
Besides the capabilities present in the Pheno plugin, CloudZ can target data stored on web browsers, profile host systems, and execute commands for:
... continue reading