Attackers are abusing a Microsoft Windows tool with an intent to spy on and steal SMS messages and one-time-passwords (OTPs) from mobile devices. In an ongoing threat campaign that started in January, they first compromise PCs, and then use malware to abuse a link to the devices to intercept and steal data, researchers have discovered.
According to researchers from Cisco Talos, the attack shows a unique attack flow with the actors abusing a Microsoft Phone Link on a Windows PC to exploit the trust relationship the tool creates with smartphones. In a report published this week. Phone Link, which is preinstalled on Windows 10 and 11 and was previously called “Your Phone,” is a built-in Windows app that syncs text messages, notifications, and calls between mobile devices and PCs.
“We found this attack slightly distinct, as the attacker is attempting to steal the sensitive information from mobile phones that are already paired with the Windows PC without deploying mobile malware,” Cisco Talos researcher Chetan Raghuprasad tells Dark Reading. “We don’t commonly see this connection leveraged in attacks.”
Attackers use a combination of the modular CloudZ remote access Trojan (RAT) and a new plug-in, Pheno, to hijack the bridge between Phone Link and devices. Pheno continuously scans for active Phone Link processes and can potentially intercept sensitive mobile data like SMS messages and two-factor authentication (2FA), all without actually deploying malware on the phone, according to the researchers.
“With confirmed Phone Link activity on the victim’s machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file … on the victim machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages,” Raghuprasad and Cisco Talos’s Alex Karkins wrote in the report.
Phone Link’s Cross-Device Sync Abused
The findings demonstrate how cross-device syncing can create an unexpected path to credential theft without attackers ever manipulating the mobile device itself, Cisco Talos tells Dark Reading. By abusing a legitimate Windows functionality, attackers could gain a 2FA bypass capability — effectively eliminating an identity authentication step many users think keeps their devices secure. Microsoft did not immediately reply to Dark Reading’s request for comment Wednesday on the attack.
Cisco Talos learned from telemetry data that an intrusion they observed began with unknown initial access vector to the victim’s environment, leading to the execution of a fake ScreenConnect app-update executable. This in turn executes an intermediate .NET loader executable, which subsequently deploys the modular CloudZ RAT on the victim’s machine.
CloudZ includes capabilities for browser credential theft, shell command execution, screen recording, plug-in deployment, and file management. Upon execution, it decrypts its configuration data, establishes an encrypted socket connection to the command-and-control (C2) server, and enters its command dispatcher mode.
“CloudZ facilitates the command-and-control (C2) commands to exfiltrate credentials from the victim machine browser data, and it downloads and implants a plug-in, which performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes the reconnaissance data to an output file in a staging folder,” the researchers wrote. “CloudZ reads back the Phone Link application data from the staging folder and sends it to the C2 server.”
The plug-in dropped by CloudZ in the attack is Pheno, malware that the researchers said they hadn’t seen before. “Pheno is designed to detect if a user is currently syncing their mobile device to a Windows machine through the Phone Link application,” according to the post.
The plug-in does this by focusing specifically on reconnaissance of Phone Link processes such as “YourPhone” and “PhoneExperienceHost.” If an active relay session is detected, the malware flags the system as “Maybe connected,” indicating the attackers may be able to monitor SMS traffic and OTP delivery.
Mitigating & Avoiding 2FA Bypass Attacks
So far the researchers have not seen evidence that the attack vector has successfully exfiltrated data, Raghuprasad says. “Still, the staging URLs of Pastebin are active, indicating high likelihood that the attacks are ongoing,” he notes.
The attack is yet more evidence that 2FA is not a foolproof way to protect people’s personal and business accounts from being compromised, especially when device users in this case may be completely unaware that anything suspicious is happening.
In fact, recent research from Proofpoint recently found that attackers are finding myriad ways around multifactor authentication (MFA), particularly via phishing kits, and its activation doesn’t ensure that an account won’t be compromised.
In the case of the Phone Link attack, to protect users against 2FA compromise, defenders can use methods of secondary authentication that don’t rely on OTPs or SMS-based methods to eliminate the risk. Organizations using Windows PCs that have Phone Link pre-installed should determine if the app is really necessary for use by their employees and, if not, disable it to protect themselves from the attack, the researchers said.
To understand if they’ve been targeted, organizations can update their behavioral detection engines to look for the execution of regasm.exe with unusual arguments and unauthorized schedule tasks, and also block the C2 server IP addresses associated with the attack — info that Cisco Talos has provided in the post, Raghuprasad says. Cisco Talos also posted indicators of compromise (IoCs) on a GitHub page and in the report, provided specific ClamAV signature and Snort Rules (SIDs) for detecting and blocking the threat.
Don’t miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!
