GoKawiilAttackers are abusing a Microsoft Windows tool with an intent to spy on and steal SMS messages and one-time-passwords (OTPs) from mobile devices. In an ongoing threat campaign that started in January, they first compromise PCs, and then use malware to abuse a link to the devices to intercept and steal data, researchers have discovered.
According to researchers from Cisco Talos, the attack shows a unique attack flow with the actors abusing a Microsoft Phone Link on a Windows PC to exploit the trust relationship the tool creates with smartphones. In a report published this week. Phone Link, which is preinstalled on Windows 10 and 11 and was previously called "Your Phone," is a built-in Windows app that syncs text messages, notifications, and calls between mobile devices and PCs.
Attackers use a combination of the modular CloudZ remote access Trojan (RAT) and a new plugin, Pheno, to hijack the bridge between Phone Link and devices. Pheno continuously scans for active Phone Link processes and can potentially intercept sensitive mobile data like SMS messages and two-factor authentication (2FA), all without actually deploying malware on the phone, according to the researchers.
Related:Middle East Cyber Battle Field Broadens — Especially in UAE
"With confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file…on the victim machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages," Cisco Talos researchers Alex Karkins and Chetan Raghuprasad wrote in the report.
Phone Link's Cross-Device Sync Abused
The findings demonstrate how cross-device syncing can create an unexpected path to credential theft without attackers ever manipulating the mobile device itself, Cisco Talos tells Dark Reading. By abusing a legitimate Windows functionality, attackers could gain a 2FA bypass capability — effectively eliminating an identity authentication step many users think keeps their devices secure. Microsoft did not immediately reply to Dark Reading's request for comment Wednesday on the attack.
Cisco Talos learned from telemetry data that an intrusion they observed began with unknown initial access vector to the victim's environment, leading to the execution of a fake ScreenConnect app-update executable. This in turn executes an intermediate .NET loader executable, which subsequently deploys the modular CloudZ RAT on the victim’s machine.
CloudZ includes capabilities for browser credential theft, shell command execution, screen recording, plugin deployment, and file management. Upon execution, it decrypts its configuration data, establishes an encrypted socket connection to the command-and-control (C2) server, and enters its command dispatcher mode.
Related:Trellix Source Code Breach Highlights Growing Supply Chain Threats
... continue reading